Failed Image Upload

  • I am using a plugin “Contest Gallery Pro” and have been for some years but we now have a problem with the upload of a particular image which the author of the plugin suggests is being rejected by WordFence.

    The symptoms are that the image will upload for me with Admin rights but not someone with Subscriber rights. We have tried other browsers. The image is a jpg from a Pixel phone and does not seem corrupted.

    The author of that plugin has sent me the developer tools screen grab suggesting WordFence is blocking it. You can see the screengrab here.

    Can you suggest why this might be?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter bobjgarrett

    (@bobjgarrett)

    To confirm what the other plugin author said I disabled WordFence and was then able to successfully upload the particular image.

    So it appears that WordFence prevents a subscriber uploading an image from a Pixel phone but permits an Admin to do the same.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @bobjgarrett, thanks for describing and showing your issue.

    The reason why an admin may be permitted to upload a file whereas a lower user role isn’t could be down to actions that are seen as malicious. In your case this is likely to be a false-positive as you’re actually expecting your users to upload files. It’s quite common for certain image files to match malicious PHP code patterns such as?<??when viewed as text.

    If Wordfence is blocking user uploads, the attempts will be logged in?Live Traffic?at the time they tried to submit the form. If there is a block, check the red block reason after expanding the entry with the eye icon in the corner. You can filter Live Traffic by “Blocked” so it’s easier to find. You may find a specific firewall rule named after expanding the entry as the reason is shown in red text.

    If the block was caused by a firewall rule and they were trying to upload a filetype your WordPress installation is set to allow, there have been cases when customers needed to disable one related to uploads. There are usually 3 possible rules involved. “Malicious File Upload“, “Malicious File Upload (PHP)“, or “Malicious File Upload (Patterns)”. These rules can be found in Wordfence > All Options > Firewall Options > Advanced Firewall Options > Rules, after expanding the list.

    Make sure turning off one doesn’t cause customers to get caught by another, then just keep the problematic rule turned off.

    Many thanks,
    Peter.

    Thread Starter bobjgarrett

    (@bobjgarrett)

    Thanks for the response. The block was due to Malicious file upload PHP.

    I have tested changing a user from “Subscriber” to “Author” which allows the photo to be loaded. The question then is whether to make all our members “Author” or remove the Malicious File Upload PHP rule.

    Given the pages which allow upload or posting are all ones which require users to be logged in it seems either is possible. Is there any other choice and which might be better in your view?

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.