Multivendor

Me too having problem with WCFM and Wordfence. My vendor cant upload new products. They have been blocked by waf-rule-417. Thank you in advance.

Hi @fsan2val, thank-you for reaching out to us.

Some themes and plugins can cause Javascript conflicts with Wordfence, although based on the description of the issue I think the firewall might be detecting a false-positive due to scripts or communication involved behind the scenes with loading/uploading products.

The first thing I’d try is Learning Mode to see if you can allow the actions being blocked successfully in future.

From the Wordfence Dashboard click on Manage WAF. Then you will see Basic Firewall Options > Web Application Firewall Status. Change the option to Learning Mode. Now try loading pages that were causing issues, adding products etc. This will help Wordfence learn that these actions are normal and it will allow them going forward. After you have finished performing the actions, switch the WAF from Learning Mode back to Enabled and Protecting. Now test to see if these actions work correctly.

If this doesn’t work, try disabling all plugins except for Wordfence and changing your theme to a default like Twenty Twenty-One. Do you still experience the issue? If not, there is a conflict elsewhere that can be found by re-enabling the plugins and theme one-by-one until the problem reoccurs.

Thanks,

Peter.

Thanks for your answer.

I already tried what you mention to put IN LEARNING MODE and it does not work

I contacted WCFM which plugin I use for this project and it said “Wordfence firewall is blocking admin-ajax.php requests from provider users. Please add exception for this from plugin firewall settings “.

What exception can I use?

Yes! We too are facing the same issue on waytra.com @wfpeter is it safe to whitelist/add to exception admin-ajax.php? Or should the wcfm plugin developer release an update to fix it? Is there an alternate safe/secure method which the plugin developers can implement?

Hi @fsan2val,

Learning Mode should have automatically added the admin-ajax request attempting to be run, but as this doesn’t seem to work it will need adding manually in Wordfence > All Options > Allowlisted URLs.

You will either need WCFM to provide you with the parameters that are passed so that you can allowlist those here, or attempt the request that fails again yourself whilst viewing the “Network” tab of your browser console, which will show the full request being attempted. Here’s what to put in the inputs on the Allowlisted URLs section:

• URL: /wp-admin/admin-ajax.php
• Param Type: Select as appropriate, possibly “POST Body” or “Query String”
• Param Name: example_parameter_being_passed

Thanks,

Peter.

Too bad I love wordfence and thinking about to buy pro for this progect, but I can keep my WAF in learning mode all the time. I will search for alternative. Anyone any sugetion?