Problems with whitelisting

  • Jason

    (@galapogos01)


    5 months ago

    Hi team,

    I have installed a third party plugin which allows a system to integrate with WordPress via HTTP POSTs back to a custom endpoint which is hosted by the plugin. Requests are sent by the third party with a blank referrer and user agent and therefore Wordfence is blocking them all.

    I have tried whitelisting the URL in Allowlisted URLs however the requests are still blocked; I think possibly due to the query string not matching, but it’s very hard to debug.

    Can you please advise how to whitelist all requests to a URL regardless of query string or body, or maybe advise some way to trace/diagnose why I can’t whitelist this endpoint? There is a known parameter which is passed in the query string by the client however when I put this in the whitelist it is still blocked.

    Thanks,

    Jason

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @galapogos01, thanks for getting in touch about this.

    Allowlisted URLs require specifics like the POST body, query string parameters, etc. rather than wildcards, so the issue could be linked to the request being different every time it’s sent. Is the reason given in Live Traffic related to the blank referer/UA when observing the red text after expanding the entry by clicking the line itself, or eye icon in the corner?

    If that doesn’t point to a clear reason you can adjust settings for, try out Learning Mode as that might be able to allowlist requests to your custom endpoint: https://www.wordfence.com/help/firewall/learning-mode/

    If nothing there seems to help, we might be able to find a solution or know whether we’re dealing with incompatibility by knowing the plugin involved in changing the endpoint.

    Thanks,
    Peter.

    Thread Starter Jason

    (@galapogos01)

    Thanks Peter,

    The red text on the block message in Live Traffic is blocked for POST received with blank user-agent and referer.

    The 3rd party client is using a specific query string, however when I try putting that in the allowlist rule it does not allow the traffic. Is there a way to test or debug rules to see why they don’t match?

    This is quite a large site and I do not really want to put it in learning mode.

    Thanks,
    Jason

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.