Conflict with Autoptimize?

  • Resolved benspr

    (@benspr)


    5 years, 6 months ago

    Hey-

    Last week I got an email from Wordfence with my home IP address listed as the source of two “Recently Blocked Attacks,” the details of which include the following:

    Blocked for XSS: Cross Site Scripting in POST body: autoptimize_imgopt_settings=.home-link,.wp-image-27227,sprlogogood.png,data:image/png

    Those settings are exactly the images I’m asking autoptimize not to lazy load, and my IP shows up twice. I was logged in at the time of the “attacks.”

    Please advise, thanks!

    • This topic was modified 5 years, 6 months ago by benspr.

    The page I need help with: [log in to see the link]

Viewing 7 replies - 1 through 7 (of 7 total)

  • Hi @benspr,

    I took a look at your site and noticed that the images were still being lazy-loaded.

    Example: https://i.imgur.com/tQz8TMG.png

    Can you share what settings you have put for Autoptimize?

    Can you also refresh the page and let me know if you’re still getting blocked by filewall? (You can also check Wordfence -> Tools -> Live Traffic to see if that POST request is still being send)

    Dave

    Thread Starter benspr

    (@benspr)

    So, the funny thing is I never was “blocked” by the firewall—at least not that I could tell—just that I got that security alert. I had been editing the Autoptimize settings that day.

    Here are my current Autoptimize settings: https://i.imgur.com/iXLjTTN.png

    I just now tried editing/saving those settings from my home and don’t see any similar alerts. My Wordfence is set to log security traffic only and also to not log signed-in users with publishing access.

    Long-shot, here: is it possible my login cookie expired or something and my browser tried to load an admin page for which I was no longer logged in?

    Hi again,

    So what’s happening is that the XSS filter caught the input string .home-link,.wp-image-27227,sprlogogood.png,data:image/png.

    Note that you may not have been blocked, but I don’t think your Autoptimize settings were saved properly as a result of Wordfence.

    I would recommend whitelisting Autoptimize by doing these steps:

    1. Go to Wordfence -> All Options
    2. Scroll down until you find Whitelisted URLs
    3. Put / for the URL
    4. Select Param Type: POST Body for the dropdown
    5. Put autoptimize_imgopt_settings for the Param Name
    6. Click Add, and then Save Changes

    Dave

    Any reason why that string gets flagged as XSS in the first place Dave?

    Thread Starter benspr

    (@benspr)

    Thanks, Dave. I made the addition to Whitelisted URLs that you suggested.

    Hi again,

    @optimizingmatters: I believe it’s caught because of this string data:image/png. Though this wouldn’t be a risk in the first place anyways.

    @benspr: Great to hear! Let me know if you still see the same errors popping up.

    Dave

    I believe it’s caught because of this string data:image/png. Though this wouldn’t be a risk in the first place anyways.

    I that case could you take it up with WF devs to ensure similar strings in the lazyload exclusions aren’t affected as well @wfdave ? ??

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Conflict with Autoptimize?’ is closed to new replies.