Site Scan Error After Enabling Basic Auth

Hi @jkzsjk, glad you reached out!

The error message indicates that Solid Security can’t scan the site because it is not publicly accessible.

Was this site recently moved from a staging site to a live one? Which plugin version are you using, the Solid Security Pro version or the Basic version?

Also, which basic authentication are you using? Can Solid Security scan your site if the basic authentication is disabled?

Looking forward to hearing from you.

Hi @shanedelierrr,

Thanks for the reply.

Was this site recently moved from a staging site to a live one?

No.

Which plugin version are you using, the Solid Security Pro version or the Basic version?

iThemes Security Pro, version 7.1.3 currently.

Also, which basic authentication are you using?

As mentioned, my WordPress is hosted on AWS EKS, behind NGiNX Ingress. The basic authentication is enabled via Ingress object with the following annotations:

nginx.ingress.kubernetes.io/auth-secret: <namespace>/<secret-name>
nginx.ingress.kubernetes.io/auth-secret-type: auth-file
nginx.ingress.kubernetes.io/auth-type: basic

Can Solid Security scan your site if the basic authentication is disabled?

We did try this to check, the answer is no as well. Whenever it fails, we’d notice that the Security dashboard logs would show the following:

• Host: It’s a private IP, beginning with 10 (e.g. 10.0.0.1). Upon further checking, this IP belongs to cluster’s worker node’s IP.
• URL: The URL would be https://10.0.33.21:8443/wp-login.php. This IP belongs to the WordPress deployment pod within the cluster.

Not sure what else we could be missing, looking forward to your next reply. Appreciate the help!

Hi @jkzsjk, thanks for the additional details.

We did try this to check, the answer is no as well.

Can you please confirm if the Site Scan ever had a successful scan on your site before? If so, it started having issues after enabling basic auth, but when you tried removing basic auth it did not help, correct?

Is your site publicly accessible? If so, can you please double-check that the Licensed URL in WP Admin > Settings > SolidWP Licensing is correct? Please try also to re-license the plugin after saving the correct Licensed URL.

If the issue persists, please try to whitelist the Site Scanner’s IP address via NGiNX Ingress to bypass the basic auth.

Please let me know how it goes!

Hi there,

I’m circling back here to check if the previous reply helped resolve the issue. Tracking notifications on this forum can become tricky over time, and since we haven’t received a response, I’ll mark this post resolved.

If you still require further assistance, feel free to open a new support topic, and we’d be happy to assist.

Thank you!

Hi, @shanedelierrr

Sorry for replying late as this item was deprioritised on my end previously.

Can you please confirm if the Site Scan ever had a successful scan on your site before?

Yes.

Can you please confirm if the Site Scan ever had a successful scan on your site before? If so, it started having issues after enabling basic auth, but when you tried removing basic auth it did not help, correct?

Yes & yes, but sometimes (even with Basic Auth still enabled) it might still be successful.

Is your site publicly accessible? If so, can you please double-check that the?Licensed URL?in WP Admin > Settings >?SolidWP Licensing?is correct? Please try also to re-license the plugin after saving the correct Licensed URL.

Yes, publicly accessible but we’re not licensed. We’re using the free iThemes security plugin.

If the issue persists, please try to whitelist the?Site Scanner’s IP address via NGiNX Ingress to bypass the basic auth.

Will consider doing this, thank you! Though It’s worth noting that all successful attempts we’ve had so far, had never needed this whitelisting to be done.

Additionally, here’s more context. Usually when it’s successful (do note that the difference in URL, i.e. url =>), the logs would look like this:

id               => 3674473
module           => site-scanner
type             => critical-issue
code             => vulnerable-software
timestamp        => 2024-08-15 15:09:37
init_timestamp   => 2024-08-15 15:09:36
remote_ip        => 204.246.166.146
user_id          => [empty string]
url              => https://www.<REDACTED>.com/
memory_current   => 8295960
memory_peak      => 8497448
data             => Array
    results   => Array
        url       => https://www.<REDACTED>.com
        version   => 1.0
        entries   => Array
            blacklist         => Array
                0   => Array
                    report_details   => https://transparencyreport.google.com/safe-browsing/search?url=www.<REDACTED>.com
                    status           => clean
                    vendor           => Array
                        slug    => google
                        label   => Google Safe Browsing
            vulnerabilities   => Array
                0    => Array
                    type     => wordpress
                    issues   => Array
                        0   => Array
                            title               => WordPress core < 6.5.5 - Contributor+ Path Traversal (Windows Only) vulnerability
                            description         => Contributor+ Path Traversal (Windows Only)

When it’s failing (10.1.0.1 is a sample of internal IP):

id               => 3674444
module           => site-scanner
type             => warning
code             => scan-failure-client-error
timestamp        => 2024-08-15 03:09:34
init_timestamp   => 2024-08-15 03:09:32
remote_ip        => 10.9.68.67
user_id          => [empty string]
url              => https://10.1.0.1:8443/wp-login.php
memory_current   => 7858472
memory_peak      => 7895080
data             => Array
    results   => Object WP_Error
        errors       => Array
            site_verification_failed.private_host   => Array
                0   => Unable to determine if the scan target is allowed: Scan target is not publicly accessible.
        error_data   => Array
            site_verification_failed.private_host   => Array
                url   => https://10.1.0.1:8443
    cached    => [boolean] false

My next few questions are:

• Am aware that free and paying are able to do site scan, but is paying necessary for specific support to resolve this issue?
• How is the URL get decided or set when scan is triggered? With the same WordPress instance, we would occasionally see it in the form of public URL or internal private IP otherwise.
• Is it correct to assume the site scanning will always be done successfully via public internet? Or it will fail otherwise?

Thanks for reading & looking forward to your further assistance, appreciate it!

Hi @shanedelierrr,

Would appreciate your assistance on the matter, many thanks in advance.

Hi @jkzsjk, sorry for the slow turnaround here!

First, premium support is certainly not necessary to get this resolved, we’re here to help all our users.

Our team reviewed this case and we think that there is something within your server configuration that’s returning the host IP to Solid Security instead of the actual public-facing URLs. So, what’s happening is that the failed scans are running via Cron, and during those scans, Solid Security picks up the host IP because of how it’s resolved on the server and returns an error (which is the expected behavior) because it thinks it’s a private site.

How is the URL get decided or set when scan is triggered? With the same WordPress instance, we would occasionally see it in the form of public URL or internal private IP otherwise.

The scanner will use?get_home_url?to retrieve the URL to scan. You may be experiencing an error if your home URL is set dynamically based on the request URL. When running Cron, often times there is no site URL, and so the IP address of the machine is being provided instead. You’ll need to update your server configuration to ensure?get_home_url?returns valid values in all runtimes.

Is it correct to assume the site scanning will always be done successfully via public internet? Or it will fail otherwise?

Yes, the site scanner is designed to scan publicly accessible sites and not private sites

Moving forward, can you please check into how your site’s URL is being configured on your server? Please also check and let us know how Kubernetes handles DNS resolutions because it could be causing inconsistencies in how URLs are resolved on your site.

Looking forward to your update!

Hi @shanedelierrr,

Thanks again for the feedback and explanation especially, appreciate it!

So, what’s happening is that the failed scans are running via Cron, and during those scans, Solid Security picks up the host IP because of how it’s resolved on the server and returns an error (which is the expected behavior) because it thinks it’s a private site.

Yes, this is exactly what’s happening to me so far. If it’s triggered manually (via WordPress admin’s security dashboard), it would work fine with the public URL but failing with private IP when triggered via Cron.

The scanner will use?get_home_url?to retrieve the URL to scan. You may be experiencing an error if your home URL is set dynamically based on the request URL. When running Cron, often times there is no site URL, and so the IP address of the machine is being provided instead. You’ll need to update your server configuration to ensure?get_home_url?returns valid values in all runtimes.

Would defining WP_HOME & WP_SITEURL beforehand help? I noticed they weren’t defined in my environment so far, so I did it subsequently but the results are still the same. The only other difference it made was it fixed wp itsec site-scanner scan for me. The CLI triggered scan would fail with https://127.0.0.1 as URL prior to this. When Cron site scan happens, when get_home_url is triggered, does it replace/define WP_HOME & WP_SITEURL for me?

Moving forward, can you please check into how your site’s URL is being configured on your server? Please also check and let us know how Kubernetes handles DNS resolutions because it could be causing inconsistencies in how URLs are resolved on your site.

Besides the 2 aforementioned variables, are there any others I should check? In my WordPress General settings page, I could see WordPress Address (URL) & Site Address (URL) are defined correctly with my public facing URL though. Would appreciate it if you could share what other Kubernetes components I should check as well. E.g. pod container’s /etc/hosts file/DNS pods logs or configuration & etc.

Hi @shanedelierrr,

Any updates so far?

Hi @jkzsjk, thanks for waiting!

Can you try proceeding to define ?WP_HOME?&?WP_SITEURL variables, then once done, send a copy of your Site Health Info to us? You may send it to us here and reference this post.

Hi @shanedelierrr,

Apologies for the late response as well, I have already reached out as per instructed.

Looking forward to your/SolidWP’s support, thank you & appreciate it!

Hi @shanedelierrr,

Any updates on the matter so far?

Hi @jkzsjk, I’m truly sorry for the slow turnaround here!

I’ve looked at our internal ticket system and could not find a submission related to this issue. Can you please contact us again along with the necessary information? You can mention both my name and this thread’s link so that it can be passed to our support team.

Thank you.

Hi @jkzsjk, just wanted to reach back out here to see if you had any updates on my previous suggestion.