Wordfence Learning Mode Rules

  • When Wordfence is first installed it enters ‘Learning Mode’ in order to, I believe, register what ‘normal’ traffic looks like, allowing this traffic through when fully activated.

    Where are these ‘learned rules’ stored?
    Are they configurable i.e. added to, deleted?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @tictag, thanks for reaching out!

    The learned rules can be seen in the table at Wordfence > All Options > Allowlisted URLs. They can be enabled/disabled or deleted, but not modified once added.

    You can add your own rules either manually, by re-activating Learning Mode for a limited time if you’re seeing false-positives, or use the “ADD PARAM TO FIREWALL ALLOWLIST” button on any block lines in your Live Traffic page.

    Thanks,
    Peter.

    Thread Starter David Adams

    (@tictag)

    I am concerned that Allowlisted URLs found during Learning Mode are too general in nature and are, therefore, allowing far more traffic through the firewall than the specific original traffic generating the rule.

    In order to understand the scope of this further, the following record is recorded in nearly all of my websites:

    URL: /wp-admin/admin-ajax.php
    Param: request.body[editor]

    … in laymans terms, what will this rule actually allow through the firewall?

    I have also seen the following parameters (i.e. same URL) on some of my websites:

    Param: request.body[settings]
    Param: request.body[lpage_html]

    The user is always me, the IP address is always mine (multiple i.e. dynamically assigned).

    • This reply was modified 1 year, 3 months ago by David Adams.
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Wordfence Learning Mode Rules’ is closed to new replies.