Firewall unexpectedly switched to learning mode – again

It looks like this could be related to updating Wordfence.

Wordfence was automatically updated to 6.3.15 yesterday and the WAF is back in learning mode again today..

Hi Mike,
Could you please share a list of the files in “/wp-content/wflogs/” directory you have right now?

Also, please go to (Wordfence > Tools => Diagnostics) and click on “Send Report by Email” button at the top of the page, you can send the report to “alaa [at] wordfence [dot] com”, make sure to include your forum username, I will take a look at this report and let you know my findings.

Thanks.

bash-3.2$ ls -l wp-content/wflogs/
total 228
-rw-rw—- 1 sedbergh1 83005 40083 Jul 27 21:25 attack-data.php
-rw-rw—- 1 sedbergh1 83005 8302 Jul 27 21:27 config.php
-rw-rw—- 1 sedbergh1 83005 51 Jul 27 20:19 ips.php
-rw-rw-r– 1 sedbergh1 83005 101240 Jul 18 07:08 rules.php
-rw-rw—- 1 sedbergh1 83005 44202 Jul 18 07:08 wafRules.rules
bash-3.2$

I’ve emailed the diagnostics to you.

I received the diagnostics report, thanks!

Just to confirm if it’s something related to the plugin update or not, could you please downgrade Wordfence to the previous version 6.3.14 by going here, selecting “PREVIOUS VERSIONS”, then choose the previous version to download?
After that try to update the plugin and check what will happen to “wflogs” directory.

Another thing I’ve noticed while checking the report is that you have a must-use plugin called “Restrict auto update”, I never heard about this plugin before, but it’s worth to try disabling this plugin and re-check this issue. Also, do you notice any change in file permissions in “wflogs” directory before and after the update?

Thanks.

OK, I’ve rolled back to 6.3.14. I will wait to see what happens after Wordfence auto updates and get back to you with the results.

I don’t think the “Restrict auto update” plugin will have had any effect. It just adds a filter based on an example in the codex to prevent one of our installed plugins being auto updated – this was needed because we’ve made some local customisations to that particular plugin.

I was thinking about doing a manual update to the plugin and see what happens to “wflogs”?

Thanks.

The previous times this happened there had been a time lag between the upgrade and dropping into learning mode suggesting that it might be happening when a cron job ran after the upgrade so I’d left things to follow their own courses.

Wordfence has upgraded itself and the WAF is still fully enabled so I’ll leave things as they are until tomorrow and see what happens overnight.

This time he WAF survived the upgrade without reverting to learning mode.

I’ve got a feeling that the previous instances of switching to learning mode might have been dependent on timing relative to the daily wordfence_daily_cron run. I’ll have another attempt and try to time things so that the cron job “sees” the change in version. This might take two or three days but I’ll get back to you when I have more info.

Well it’s run for a few days now and survived two upgrades without dropping into learning mode. Looks like Sod’s law applies and things won’t go wrong when you want them to.

If the problem arises again I should be able to produce “before” and “after” copies of the contents of wflogs because I’ve set up a cron job to retain periodic backups of it.

It would be useful if I could make the cron job check to see if learning mode had been activated. Is there some value I could check in a config file or the database?

I’m afraid there is no constant for this value, but you can check the config value “wafStatus” in (/wp-content/wflogs/config.php) and if you want to take a look at the code snippet checking for this value, it’s in “wordfence/lib/menu_firewall_waf.php” around line 104.

Thanks.