URGENT: We are getting a Wordfence error on our registration pages

EDIT: Have temporarily enabled learning mode to circumvent the issue.

Hello @biotrace and thanks for reaching out to us!

Learning Mode should fix your issue with the 403s.

From the Wordfence Dashboard click on Manage WAF. Then you will see Basic Firewall Options > Web Application Firewall Status. Change the option to Learning Mode. Now perform the actions that were causing issues. This will help Wordfence learn that these actions are normal and it will allow them in the future. After you have finished performing the actions, switch the WAF from Learning Mode back to Enabled and Protecting. Now test to see if these actions work correctly.

https://www.wordfence.com/help/firewall/learning-mode/ is an amazing resource for learning more about the WAF and learning mode.

Let me know how it goes!

Thanks!

Hi, thanks for your reply. After performing the actions while in learning mode, I was still getting the issue when switching back to Enabled and Protecting. After reading the resources in the link you provided, I was able to manually white list the action from the live traffic section and that seems to have done the trick.

The error code was “blocked by firewall for WAF-RULE-291”. Is there a reference list of error codes to get more information about the error?

Glad that was able to resolve it!

Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

I would like to investigate this issue a bit further.

Thanks a ton!

No problem – Diagnostic has been sent now. Thanks

I am not sure it went through. Could you try once more for me?

Thanks again for your assistance!

I have just sent through another report. I noticed everything on the diagnostics page was green except for this:

View post on imgur.com

We do have backend IP restriction enabled however that could be causing this.

Still not receiving your diagnostic. Make sure it’s going to wftest @ wordfence . com.

Looks like you are getting a cURL error, which could cause issues with the scanner. The diagnostic would help me see what might be causing that as well.

Worst case scenario, you could “Export” the diagnostic and then email it to that address.

Let me know what you are able to find!

Thanks!

Hi, I have manually sent the diagnostic to the specified email address. Let me know if it comes through.

Unfortunately, I still haven’t got it. I thought maybe it was our email so I sent a few test emails and they are coming through. Not sure what might be going on there.

[email protected]

Let me know if you find anything

Thanks!

Not sure what is going on here sorry Adam. I have definitely sent the diagnostics to wftest @ wordfence . com (without spaces).

I sent the email one last time. Maybe it is being flagged as spam for some reason?

Best regards.

I have checked all of our spam folders as well and haven’t received your email yet. Are you sure your email is working properly on top of the other issues your site is experiencing?

You can send yourself a test email from the Tools > Diagnostic page.

I am still getting other emails for other issues I am working on so I don’t believe the issue to be with our email.

Let me know what you find!

Thanks!

Hi Adam – Our emails are working fine. We are regularly sending and receiving mail from multiple sources every day. Have you got an alternative email address I can send to?

Update on the WAF issue. We have had to enable “Learning Mode” again even after manually whitelisting the actions from the Live Traffic section on the website. Clients are still being blocked on these pages unfortunately.

We have just recently updated our WAF Rule 291 as it was causing some false positives. Head over to All Options > Firewall Options > Advanced Firewall Options > Manually Refresh Rules. Once you do that, this should correct the issue you were having with the random blocks.

Let me know if it helps!

Thanks!

Hi Adam – It has come to our attention that these errors are due to a critical security issue with the Ultimate Member plugin. We have black listed those pages again until we can resolve the issue.

Unfortunately we cannot update Ultimate Member to the latest version because it breaks our website and the developer no longer supports the version we require.

Are you able to point us in the direction of a security specialist / developer that could help us patch our existing plugin?

https://www.wordfence.com/blog/2020/11/critical-privilege-escalation-vulnerabilities-affect-100k-sites-using-ultimate-member-plugin/