Wordfence conflict with Kallyas theme

Hello bhSLC,
the recent versions of Wordfence includes a new feature called “Web Application Firewall” (WAF). The WAF does not know what you have been doing on your site before it was enabled, therefore it needs to learn that before it can do accurate blocking.

The WAF is only a piece of Wordfence and Wordfence will still be protecting your site while you keep WAF in learning mode. It just wont be doing so as effectively as possible. We recommend that you keep WAF in “Learning mode” for about a week before you set it to “Enabled and Protecting”. During this week you should keep using your site as you do normally, adding, editing posts, images etc. While doing this you can monitor WAFs progress in learning your behavior. At the bottom of the “Firewall” page there is a list called “Whitelisted URLs” that will show the URLs you are teaching it to allow that it would otherwise have blocked.

I’m setting it to learning mode, but this new WAF feature is causing all sorts of problems. Interfering with the Newspaper theme by tagDiv and WPeMatico when both try to access admin-ajax.php.

At this point, this WAF feature is too aggressive! Learning mode shouldn’t be needed, especially for existing plugin users who upgraded and didn’t get proper notices of what was going on. I can’t verify that WAF went into learning mode after the update because there were no notices about it.

We’ll see if this fixes it, though. Just adding in the additional compatibility issues on the relevant thread.

Oh no… I was just going to install both on a new site. I love both, Kallyas for its design and WF for its essential security features, which I would never want to miss on any WP installation… @btreece84: Could you be so kind as to elaborate your experiences? Can you still use both as you want to?

Thanks

@online-marketing Sure. But it’s limited because I just set WAF to learning mode when I last posted here. That fixed the issue for now, but we’ll see how well it actually “learns” about my theme’s settings panel.

In my particular case, I should note that I’ve used this theme on this site for over 2 years and rarely have a need to make changes to it. I was just updating an ad code (ad management built into the theme) when I tried to save, which uses admin-ajax, and it never saved. When the WAF was added to Wordfence, I wasn’t using my theme options at all, so there were no actions for it to learn from.

Also, the WPeMatico thing was a coincidence actually caused by ACF Pro loading a very old version of jQuery. I’d edit my original post here to remove that but I can’t edit it any longer.

I’ll leave learning mode enabled for the next week or so and then check the exceptions list in WAF and test things out. The WAF doesn’t look like a killer yet, so I would try it out as the author specified, with learning mode enabled for a bit, and see how it works out for you.

Blanket whitelist of your own IP is standard operating procedure with Wordfence, IMHO. It’s just like your webserver, for example my company has 40 different IP addresses whitelisted in their server firewall so they don’t block themselves when they need to get in there.

This “Learning Mode” thingus is comfusing (sic) as all getout. I couldn’t run WAF, then my server company fixed it, and it was running immediately without ever running learning mode in all but one case. I have no idea if I’m supposed to drop it back to learning mode, or just continue through the valley of bots like no upgrades ever happened.

In any case, to stay on subject, IMHO there isn’t anything wrong with whitelisting your own IP (unless it’s dynamic, then, shucks…).

P.S., Apologies if this is an ignorant post and there is indeed some reason to let Wordfence apply rules to your own website IP.

MTN

Well it seems like I would have to post this thread to Kallyas comment section… perhaps they should have a look at it as well…

Hey guys,

Marius here, co-dev of Kallyas theme.

First of all WordFence is a fantastic plugin and by all means it’s highly, highly recommended to be used.

Now, indeed due to Kallyas’s built-in page builder which is loading into the frontend, in combination with some of WordFence’s features (previously mentioned “Learning mode”), there are some issues when publishing the page, not actually publishing.

The workaround as mentioned in the OP’s post is to whitelist your IP. There might be a compromise here to continuously check for your IP, however for security purposes, it may very well worth the efforts.

Thanks for checking in mhogas! I’ll just add a note on the compromise. If you whitelist your own IP you will not be protected against javascript/XSS attacks via links that lead to your site and that you click yourself. So as long as you stay vigilant and do not click any unknown links in emails or other messages whitelisting your own IP should be fine.

Wfsa, just to be clear, what do you mean by “whitelisting your own IP?” Do you mean simply adding it options/Whitelisted IP addresses that bypass all rules ?

I thought keeping my own static IP address from office computer in there was SOP for doing admin on WordPress/Wordfence? But not a good idea?

Thanks, MTN

Hello mountainguy2,
yes I mean adding it in options to bypass all rules. I have never done it on any of my sites and it’s not something that should be necessary. However, what settings each individual site may need depends on what traffic it has and how it is used by admins, editors etc. In certain situations it might be necessary. If someone feels they need to do this it should be fine as long as they are aware that they are then no longer protected against exploits they may be triggering themselves.

Ok, thanks, this is incredibly useful information. As a security noob I had no idea that Wordfence was protecting me against myself, and that I was bypassing that by whitelisting my IP. I’ll turn that off immediately except for testing. MTN