wfchar

Hi @parakeet,

If you leave xmlrpc.php in place for Immediately block IPs that access these URLs, then any requests that leverage xmlrpc.php will in fact be blocked regardless of whether or not you have the IP addresses otherwise whitelisted.

The initial success may have been due to an existing connection that was still open at the time you rechecked the connection, but the second and third failures would be the expected behavior when xmlrpc is blocked. Unless you have a need to keep xmlrpc.php blocked, in which case you won’t be able to use Zapier or any other external service that uses xmlrpc, you should go ahead and remove it from the block list.

Let me know if you have any further questions!

Hi @scruffy1,

When you go to Wordfence > Firewall > Blocking and then click the Country option next to Block Type, you should see a field labeled Countries to Block, and under that should be a button-style list of countries that are configured to be blocked.

The display for viewing the statistics for your country blocking can be found on the WordPress dashboard view. If you go to Wordfence > All Options and check “Enable activity report widget on the WordPress dashboard” in Activity Report section, then go to the WordPress dashboard and select “Screen Options”, then check “Wordfence activity in the past week”, you should then see your statistics displayed in the dashboard as a widget.

Let us know if you have any further questions!

• This reply was modified 6 years, 4 months ago by wfchar.

Hi @shojikama,

Could you try the following:

• Go to the Wordfence > Tools > Diagnostics page
• Go to the “Debugging Options” section (bottom of the page)
• Uncheck the “Enable SSL Verification” option
• Hit the “Save Changes” button

Let me know if the issue persists after disabling SSL verification!

• This reply was modified 6 years, 4 months ago by wfchar. Reason: formatting

Hi @choisir,

I can confirm I’m seeing the mixed content messages when I visit your site. This will create issues with resources such as images and external assets from displaying properly.

You can either modify your site to force all traffic to communicate via HTTPS, or you can opt for one of the WordPress plugins that is designed to handle this process for you, such as Really Simple SSL or SSL Insecure Content Fixer (please note that this is not an official endorsement of any plugin).

I did check your SSL certificate for your domain and confirmed that all is well with that.

Let us know if you have any further questions!

Hi @heiscominsoon,

We have indeed addressed this vulnerability! More information is available here: https://www.wordfence.com/blog/2018/06/arbitrary-file-deletion-flaw-present-in-wordpress-core/

Let us know if you have any further questions!

Hi @parakeet,

Have you re-enabled xmlrpc.php? If not, could you re-enable and retest whether the IPs are still failing to connect to the service?

Hi @sharepress,

When you go to the Scan page, you should see a button labeled Start New Scan on the left hand side under the status circles, even with the free version. Is this button not present?

Hi @verbeelding,

Could you please compress the file and send it to [email protected]?

If you have any results under Scan > Results Found, could you please click Details and provide screenshots in the email as well?

Thanks!

Hi Darryl,

We didn’t find any evidence that those files are infected; however, we were wondering if you could also provide the rules used on your host so we can double-check those as well, just to be on the safe side.

Thanks!

Hi @traverser11,

At what point in your troubleshooting process was that screenshot taken? It does indicate that Wordfence isn’t configured, but it’s not clear whether the issue is that Wordfence is disabled currently but that message is displaying or if there’s an issue with Wordfence not remembering configuration while using the Divi theme.

Thanks!

Hi @dna2018,

We didn’t see anything out of place in the diagnostic information you sent, and I’ve confirmed that the messages you’re seeing are a normal part of the plugin’s data and are not spam. The messages, however, do mean that those signatures won’t be working.

Has anything changed, such as your hosting instance or any versions of software, since the time you filed this issue? Can you confirm whether or not this is still happening?

Thanks!

wfchar, one one of our business sites we have a legitimate AWS box picking up a feed from it. So that’s a case where we’d need to figure out some kind of exception.

If you own that particular AWS box, you can request an elastic IP address to ensure that you have a static endpoint, even if your instance is relaunched.

Hi @managedhostingpartners,

The column and information that AWS referenced is a binary column storing values for IP addresses. The default value is all zeroes (16 characters in this case for either IPv4 or IPv6 values).

The wp_wfBlocks7 table is going to be created using the default engine for your database, so you may want to double-check whether or not it’s using MyISAM. As noted by michael-sqlbot in the serverfault thread:

The MyISAM storage engine does not support reliable recovery and can result in lost or corrupt data when MySQL is restarted after a recovery, preventing Point-In-Time restore or snapshot restore from working as intended.

Let us know if you have any further questions!

Hi @tommcgee,

There should be no impact with using Wordfence while blocking AWS IPs; however, if you need to leverage any services from other providers in the future, you will want to reassess this block and its potential impact on external services.

Let us know if you have any further questions!

Do you have the “Enable beta threat defense feed” option checked in the Debugging Options section? If so, this should be turned off, as it is a testing feature and isn’t intended for production environments.

If you don’t have the beta feed enabled, could you please go to Tools > Diagnostics > Send Report by Email and send the report to [email protected] so we can take a closer look? Please include your forum username in the Forum Username field.

Thanks!