IP Allowlist won’t accept more than one IP

Hi @robaxxx,

I hope you are doing well today!

I was able to successfully enter the mentioned IPs to allowlist on Defender.
https://prnt.sc/gEWgr7xBF7Ew

Therefore, I suggest to perform full plugin/theme conflict test.

Please make sure you have recent backups and perform this operation on your dev/staging site if possible.

To learn more about a plugin conflict test, please see this guide below:
https://wpmudev.com/docs/getting-started/getting-support/#conflict-test

Check out this handy flowchart of the troubleshooting process detailed above.
https://wpmudev.com/wp-content/uploads/2015/09/Support-Process-Support-Process.gif

Please let us know the results.

Kind regards,
Zafer

Hi @robaxxx

I hope you are doing well and safe!

We haven’t heard from you in a while, I’ll mark this thread as resolved.

Feel free to let us know if you have any additional questions or problems.

Best Regards
Patrick Freitas

Hi Patrick

I’ve now gone through that many-hours long process and the result is the same. I disabled all plugins except this one and applied the 2023 theme.

The issue happens in the plugin admin UI where these things shouldn’t really matter anyway.

I note that the similar User Agents Block and Allow lists contain multiple entries (as text rather than ip numbers) and saving those does not generate any error.

I also checked from Firefox in case Edge had a problem with your validation checker, but same result.

I’m aware from previous tickets that you won’t look at my system to see for yourself, so… how else can you look at this issue?

Regards
Rob

Hi @robaxxx,

Would it be possible for you to provide a screen recording of the issue? This would assist us in understanding the problem more.

Could you please verify if any error is being logged in the browser console as well?

We look forward to hearing back from you.

Kind Regards,
Nebu John

Yes, there are no console errors, but I’ll make a recording to show everything involved.

Is there a place I can send you the link without posting it here?

Regards
Rob

Hi @robaxxx,

Please email us the link at [email protected] and make sure to use the following template.

– Subject: ATTN: WPMU DEV support – wp.org
– Link to the recording
– Link back to this org thread for reference 

Kind Regards,
Nebu John

HI, I’ve done that all now and sent the video off.

Regards
Rob

Hi @robaxxx

Thanks for the video!

I watched it and I see what’s happening there, although I still can’t replicate this on any of my setups.

I see why it may seem like validation issue but the IPs are fine and I also tried the same ones on my end – with no issues.

I don’t have access to any site powered by IIS to test it to check if this may be server-side issue but it looks to me more like either something stripping/changing the “line-end” characters or an issue with already existing DB data (e.g. due to some unexpected glitch or conflict in the past).

Could you try something more on the test site then?

If you have phpMyAdmin (or similar) DB access that would let you edit DB directly, please

1. go to the “wp_options” table (note: the prefix may be different than default “wp_” on your setup but “options” part of the name will be the same)

2. find the row for “option_name” of “wd_blacklist_lockout_settings”

3. if you check “option_value” and you see some IPs there, see if those IPs are separated by “\n” or by space or some other character. If it’s not “\n” it could possibly explain the issue.

4. simply delete this entire DB record and then

5. go to “Firewall -> IP Banning” on site again and you should see both Block- and Allow- lists empty; try adding IPs there again and saving them.

Let’s see if that works. Note: if you had customized IP Banning messages and/or MaxMind license already entered there – they would be “reset” as well but I think on “testing” site it would be acceptable for now (as you can add them back).

If this works, it would confirm that the issue was due to some malformed data in this DB record (though I’m not able and won’t be able to tell why it was “broken”, I’m afraid) and you can either apply the same treatment to live site or we can look for the way to fix the data manually.

If it doesn’t work, then there may be something additional (maybe some specific server setting) that somehow affects the IPs formatting “during” the process of saving.

Best regards,
Adam

Hi Adam

I’ve sent a second video via the email just now so you can see what I did and found.

That specific row with wd_blacklist_lockout_settings doesn’t exist in the wp_options table.

Have a look and see what you think.

Regards
Rob

I have more details to add here.

I have an instance of WP that is not multisite but is on the same server and in every other way has the same environment.

That instance does have the db row with name wd_blacklist_lockout_settings and it is full of ip addresses and some other settings.

However that instance also does not let me add more than one ip in the Allow list. A minor detail is that this instance does not wipe out the Allow list when it fails to save a second ip. I guess because the table row exists in its db.

That instance also has plenty of ip’s in the blocklist and is adding more by itself as they are blocked.

The multisite instance is has Defender configured exactly the same, but it is not adding any ip’s to the blocklist by itself, presumably because the table does not exist.

So this is sort of two things – I’ll summarise:

The mutisite is missing at least that one row in the db. It also adds no ip’s to the blocklist by itself.

The non-multisite does have that row, but it does not allow more than on ip to be saved in the Allow list. But it does add ip’s to the blocklist by itself.

Also – On the non-multisite I see many other rows in that table with names like wp_defender_config_defaultxxx and similar

The multisite has no rows with those names.

Hi @robaxxx

I made multiple tests here taking into account your first note:
I skipped the auto-setup and then went to the firewall

and I was able to replicate this issue in first place on the multisite installation. Later on I reset settings in Defender, but this time I followed autosetup and added same IP format. In both cases:

• _blacklist_lockout_settings is not created
• that IP trigger same error

I repeated the same steps twice, but this time I used IP format like:
XXX.XXX.XX.XX
and things work correctly.

Later on, I used the format XXX.XXX.XXX.XXX but real IPs, not fake ones and things work correctly, as well.

Taking into account this:
https://wpmudev.com/docs/wpmu-dev-plugins/defender/#ip-banning

If any IP address or range you enter here is in a format that Defender does not recognize, it will not be added to your list and a notice will appear so you can make any necessary?adjustments.

It seems you try to add IP that Defender simply cannot recognize.

Please add some other IP to that list, which will look valid. Adding the first valid IP will trigger _blacklist_lockout_settings to be created. It does not mean, it will, later on, allow adding of those IPs which trigger errors in the first place. This test on your side will confirm that IP banning works well and the only issue is the IP format.

I pinged our Defender Team to get more details on what rules Defender rely when it comes to correct IP format. We will post an update here as soon as more information is available.

Kind Regards,
Kris

Hi Kris

I should point out that none of the ips are fake; they’re just random. But regardless, I’ve tried again now a few times. I reset the plugin. I tried both skipping setup and also not skipping setup. I used ip’s, including my own ip4 and ip6 that I tested at https://www.ip-tracker.org/lookup.php

I then also uninstalled and reinstalled the plugin.

In all cases I was unable to get more than one ip into the field. Same as before.

I checked the options table each time and the related blacklist_lockout row is never created.

One odd thing – If I only insert one ip it successfully saves it. But when I check the db table, that row is still not present. So, I’m left wondering where it is saving the single ip address.

That might be a clue… is it putting the value somewhere else on the multisite.

I recorded everything I did, but it’s long and doesn’t add anything other than what I’ve just described so I haven’t emailed that through. Can do if needed.
Regards
Rob

Hi @robaxxx

I still have no valid data from Defender Team. I have also updated them with those new data from your side. Thank you for your patience while we look into this further.

Kris

Hi Kris

There have been a few releases of Defender since I reported this. I’ve just checked the current release now and it’s still the same.

Do you think it’s still on the to-do list?

Regards
Rob