Frustrating restrictions in Wordfence when it comes to blocking options

Also there is one ore issue!

If we add a URL to banned URLs list, Wordfence matches the string from the beginning. For example, if we added /pma* to the banned URL list and someone tries to access “https://www.website.com/pma/whatever” URL, he’ll get banned. But if a user tries to access “https://www.website.com/blog/pma/whatever” URL, he’ll not get banned.

Wordfence should be able to detect the banned term in full URL and not the beginning. Or provide an option to turn on/off ability to detect the banned term in anywhere in the URL.

Stan, thanks for that. Quite a drag, let’s hope Wordfence does something about it, soon. It makes the block URLs feature rather idiotic, and makes me an idiot for all the time I spend configuring it. Only plus is I’m glad to find another reason not to pay for Premium. MTN

Hi @stanlight,

What I can suggest here is that you configure your web server to not respond to IP-based requests.

——————–

@yet-another-wp-user,

Please try adding a “*” at the beginning of the banned URL. That should work in most cases.

^^ You mean:

*/pma/*

OR

/*/pma/*

@wfyann, that’s a clever solution but it blocks ALL access via the IP. Isn’t the point of the Wordfence blocks to be selective and block only certain files / folders? So are you saying that Wordfence won’t take my suggestion on board and give us the option to block these bots within Wordfence?

^^ You mean:

*/pma/*

Exactly! If you need to start with a slash you can’t exactly start with an asterisk!

^^ But wordfence description says that all banned URLs must start with /

Hi @stanlight,

We haven’t had this request before so we’d be interested in finding out more. Can you please elaborate on why your site needs to be accessible via IP-address?

*********************************

@yet-another-wp-user,

We say that URLs must start with a “/” to clarify that they can’t start with a domain name. WordPress permalinks all start with a “/”. Happy to hear adding the “*” before the URL worked for you!

Let me clear something. For example I want to immediately block IP address accessing a URL containing “wp-admin” word in it. But the URL should not start with “wp-admin”.

For example, Wordfence should block following URL:

website.com/blog/wp-admin/whatever

But should not block:

website.com/wp-admin/whatever

So what should I enter into banned URLs list?

/*/wp-admin/*

OR

*/wp-admin/*

@wfyann , I didn’t say my site needs to be accessed by IP.

I demonstrated to you how hackers and vulnerability testers are bypassing the Wordfence blocks by probing for URLs using the IP rather than the domain name.

You really should read my original post, I took great care to make the issue crystal clear!

Happy to hear adding the “*” before the URL worked for you!

Did it? I don’t recall @yet-another-wp-user saying that it did. Are you saying that these ban URLs don’t need to start with a slash and can actually start with an asterisk instead?

Hey everyone, I tested this issue on my server setup. My Wordfence URL blocks function fine either way. In Wordfence blocked URLs I have this: /test-block.html

Access using either of the following both result in Wordfence blocking:
xx.xxx.xxx.xxx/test-block.html
https://www.website.com/test-block.html

Took all of 3 minutes to test this, using my VPN so I didn’t have to hassle with blocking myself.

I’d imagine this depends on server setup. In my case I can access my site using just my site IP, but again, the Wordfence URL blocking works fine either way.

I’d imagine this depends on server setup.

Possibly. On my Linux/Apache VPS bots are able to bypass the blocks by asking for pages via the IP. When they ask for “xx.xxx.xxx.xxx/test-block.html” they don’t get blocked by Wordfence.

Yeah, my server is LAMP and the blocking works… sounds like this is something Wordfence should add to their diagnostics! Otherwise the URL blocking is rather pointless unless each and every person tests their own… MTN

Hi everyone!
As yann explained, you can use a * in front of the URL to block the same path for several domains. If you have a Multisite WordPress you’ll have multiple domains with only one WordPress installation and it works perfect for that use case.

Why do we say a URL has to start with a /? We do that to emphasize that URLs can not start with http or www or the domain name. Even when adding a * at the beginning the URL actually does start with a /. How is that? Well, a * is not technically part of the URL itself it’s an expression that is evaluated.

Thanks for helping us test mountainguy!

yet-another-wp-user if you want to block website.com/blog/wp-admin/whatever but not website.com/wp-admin/whatever you should use */blog/wp-admin/*

stanlight have you tried putting a * in front of the path you want to block to see if it then gets blocked when the site is accessed via the IP?

• This reply was modified 6 years, 11 months ago by wfasa.

stanlight have you tried putting a * in front of the path you want to block to see if it then gets blocked when the site is accessed via the IP?

No, but if @wfyann had suggested that when replying to my original post, instead of telling me to “configure your web server to not respond to IP-based requests”, I would have tried it.

Why do we say a URL has to start with a /? We do that to emphasize that URLs can not start with http or www or the domain name.

May I suggest that if you mean “x” then say “x”, not “y”. If a block URL needs to start with a “/” or a “*” then say:

the URL needs to start with a / or a *

and not

the URL needs to start with a /

Or say:

URLs can not start with http or www or the domain name

@wfasa
What if I want to block all URLs which contain some words before /wp-admin/ phrase?

What I mean is that, I don’t want to block IPs accessing “website.com/wp-admin/” but I want to block all IPs accessing “website.com/someword/wp-admin/”

What should I put in banned URL?