Wordfence issues with Pantheon Hosting

  • Resolved heretiq

    (@heretiq)


    6 years ago

    Hello,

    We are using wordfence on all of our client sites. However, these sites have some vulnerabilities due to the following issues between Wordfence and Pantheon hosting: https://pantheon.io/docs/modules-plugins-known-issues/#wordfence

    Issue #1: Enabling the Live Traffic tracking feature within Wordfence sends cookies which conflict with platform-level page caching.

    Solution: Disable Wordfence-generated cookies by disabling Live Traffic within the Wordfence options page. See the WordPress support forum for details.

    Issue #2: The Wordfence firewall expects specific write access to wp-content/wflogs during activation. Adding a symlink does not mitigate this, so using the Wordfence firewall is not supported on the platform. This has been reported as an issue within the plugin support forum.

    Issue #3: The Wordfence firewall installs a file called .user.ini that includes wordfence-waf.php from the absolute path which uses the application container’s ID. These paths will change from time to time due to routine platform maintenance. When a container is migrated and when this plugin is deployed to another environment the absolute path is no longer valid resulting in a WSOD. This has been reported as an issue within the plugin support forum.

    We are prepared to upgrade these sites to Wordfence Premium; but cannot do so without addressing these issues. Can you please advise on status of fixes for these serious issues?

    Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • wfasa

    (@wfasa)

    Hi @heretiq,

    Thanks for the inquiry.

    1. I’m not sure if this is an issue still since we don’t use cookies on the front end anymore. We removed those ahead of GDPR.

    2. We’re working on an alternative solution for this. I can’t give you an exact date but it should be available in a not too distant future.

    3. I’m not sure it’s possible for us to fix this as it’s not possible to use relative paths in that context. However, you can remove the Wordfence Firewall optimization before you migrate a site or exclude .user.ini from migration routines.

    Thread Starter heretiq

    (@heretiq)

    Thanks for the follow-up wfasa.

    Regarding #1, I enabled the Live Traffic attacking feature on a test server but see no way to determine if it is working. How can I test the Live Traffic attacking feature to see if it is working?

    For #3, the migrations are not user controlled — they are performed automatically by Pantheon – the hosting provider – as a part of their Docker-based platform management routine.

    I’m glad to hear that Wordfence are working on a solution for the Firewall issue – #2 – but solutions are necessary for all three issues if Wordfence is to be viable with Pantheon-hosted sites.

    Thanks.

    wfasa

    (@wfasa)

    Hi again!

    Live Traffic is just a log essentially, it shows whatever is going on on the site at any specific point in time, including blocks. If you want to test the Firewall you have to make a request to the site that could be perceived as malicious. Examples could be

    yoursite.com/?test=../../ (Local file inclusion) or
    yoursite.com/?test=<script> (Cross site scripting in query string)

    Wordfence has a lot of other blocking functionality too like rate limiting and brute force protection. To test each one you’d have to set those options as you want them and then attempt to break the rules. Try to use a different IP than your own when testing so you don’t end up blocking yourself.

    I understand that all three issues would need to be resolved. If we can, we will at some point.

    I’m wondering why this issue is marked as resolved? It’s not resolved until Wordfence’s firewall can be used with Pantheon and as far as I can tell that’s still not the case.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Wordfence issues with Pantheon Hosting’ is closed to new replies.

Tags