Possible conflict with Ghost Kit

  • Resolved Ervin Domonkos

    (@arachnoidea)


    1 year, 5 months ago

    Hi there,

    I noticed that in the case of:

    • Having the “XSS: Cross Site Scripting” firewall rule enabled
    • and want to save a post that has a Ghost Kit button block with an SVG icon in it

    The page isn’t getting saved, and it gives us a JSON/Ajax error (403 forbidden) in the console.

    Is there a way we can make the 2 plugins work together well, and keep the XSS rule enabled, too? (as I remember, there wasn’t such an issue a few versions back)

    Thanks,
    Ervin

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @arachnoidea, thanks for your question.

    I don’t have any past cases to draw from with GhostKit, but if you’re getting 403 blocks with operations before turning off the XSS rule, it’s likely that they’re being logged in your Live Traffic.

    Turn the rule back on, try an operation that gets hit with a 403, head over to your Live Traffic page and find the corresponding block(s) there near the top. Clicking that line (or “eye” icon) to expand it will show the block reason – which I expect to be the XSS rule you’ve mentioned. Sometimes you are presented with a “ADD PARAM TO FIREWALL ALLOWLIST” button here that could solve any problems blocking GhostKit going forward. This button automatically inserts the URL and its required params to the Allowlisted URLs section of the plugin.

    If that doesn’t work, try running the site in Learning Mode and attempting to perform the previously blocked action again. This should teach the firewall the script that’s running is normal and should be allowed in the future. Afterwards, return the firewall to “Enabled and Protecting”.

    Thanks,
    Peter.

    Thread Starter Ervin Domonkos

    (@arachnoidea)

    Hi Peter,

    Thank you for showing me this possibility. I think this feature is really valuable if we have to allowlist URLs in the future without the hassle of finding out manually what parameters to use.

    Unfortunately, the event didn’t show up in the Live Traffic table. In the meantime, our hosting provider told us that they had XSS hardening set up on the server level, so that we were safe to turn it off in WF.

    So the issue seems to be fixed for now. Anyway, I really like this feature of adding rules to the allowlist with a click of a button.

    Thanks,
    Ervin

    Plugin Support wfpeter

    (@wfpeter)

    No worries @arachnoidea, always happy to help and glad you were able to find a combination that works.

    If you have any Wordfence questions in future by all means start a new topic and we’ll be glad to help out any time!

    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Possible conflict with Ghost Kit’ is closed to new replies.