Stackpath WAF IP Addresses Blocked for WAF-RULE-194

  • Resolved soundfeelings

    (@soundfeelings)


    4 years, 8 months ago

    I have many wordpress sites and for each of them I am using Wordfence security. For each of these, I am using a service called Stackpath, which is similar to the more popular “Cloudflare” WAF service. This functions kind of like a pre-filter to get rid of mostly all malware attacks before it even hits the server. I’m very happy with them.

    In the past few weeks, the weekly Wordfence notifications have “Recently Blocked Attacks.” I have inquired about this of Stackpath and they acknowledge that each of the “attacks” are from THEIR IP addresses, just doing their normal scan or whatever they need to do to function correctly. (Previously for many months, the notifications would always indicate “No data currently,” so I was concerned about this and that is what prompted me to contact them… wondering WHY are these entities getting through.)

    They gave me a URL that lists all their IP addresses that I could go into each of my installations to whitelist. I was planning to do this but then I realized that there may be other people dealing with the same thing. Maybe you might consider verifying what I’m saying and then possibly whitelist that set of IP address on the back end so it would apply to all users of Wordfence?

    I am hesitant to publicly post the stated URL here but if you want to contact me privately, I would really be happy to supply it.

    Thank you.

    Howard Richman

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Support wfphil

    (@wfphil)

    Hi @soundfeelings

    It appears that you haven’t configured Wordfence to detect IP addresses correctly and Wordfence is seeing all visits to your site as coming from StackPath IP addresses.

    For Wordfence to be able to detect the correct IP address of site visitors then StackPath uses the X-FORWARED-FOR HTTP header to pass along the correct IP address:

    https://support.stackpath.com/hc/en-us/articles/360021658292-Getting-Real-Client-IPs-with-X-Forwarded-For

    In the How does Wordfence get IPs subsection of the General Wordfence Options section on the All Options page you will need to set and save the option Use the X-Forwarded-For HTTP header. Only use if you have a front-end proxy or spoofing may result.

    You can then find your IP address here (note that this detection is not 100% accurate on cellular phone network connections):

    https://www.whatsmyip.org/

    You should then see your IP address on the line Your IP with this setting.

    If you don’t see your IP address on that line but instead a StackPath IP address then you will have to add all of StackPath’s IP address ranges as trusted proxies.

    Click on the link + Edit trusted proxies

    Now you will need to enter all of these StackPath IP address ranges shown in the page below under the CDN/WAF IP Blocks section:

    https://support.stackpath.com/hc/en-us/articles/360001091666

    Each IP address range must be manually copied and pasted on a separate line in the Trusted Proxies text area in Wordfence.

    Make sure you copy this list that you have created in the Trusted Proxies text area in case you get blocked when your press the SAVE CHANGES button otherwise you will have to go through that lengthy process again. You may be blocked if Wordfence is seeing all IP addresses as StackPath IP addresses and an attacker is blocked but Wordfence sees you as having the same IP address as the attacker.

    Once saved you should then see your IP address on the line Your IP with this setting.

    Hi @soundfeelings,

    We haven’t heard back from you in a while, so I’ve gone ahead and marked this thread as resolved.

    Please feel free to open another thread if you’re still having issues with Wordfence.

    Thanks,

    Gerroald

    Thread Starter soundfeelings

    (@soundfeelings)

    Thank you for the great info. I hadn’t realized that you had responded as I may have missed the notification. I will try what you said.

    Plugin Support wfphil

    (@wfphil)

    Hi @soundfeelings

    If you need any help let me know.

    Hi @wfphil

    May I jump on this too, please?

    We have a similar issue. When Wordfence is enabled, some assets, mainly images being served from Stackpath CDN, are not displayed in the browser.

    We have followed the steps above,
    1. Set X-FORWARED-FOR HTTP header to pass along the correct IP address. (Also tried via Cloudflare option).
    2. Populated the trusted proxies list with the IPv4 & IPv6 addresses from Strackpath CDN.

    Unfortunately, this did not work for us. Currently, we have Stackpath CDN integration switched off, as this is the only way for the website to load all images correctly with Wordfence enabled.

    Our setup is as follows:

    Server architecture Linux 4.15.0-91-generic x86_64
    Web server Apache/2.4.29 (Ubuntu)
    PHP version 7.3.16-1+ubuntu18.04.1+deb.sury.org+1 (Supports 64bit values)
    PHP SAPI apache2handler

    Host Digitalocean – Droplet – UK

    Wordpress is on the latest version of 5.4 and all plugins up to date.

    We use Cloudflare for DNS, SSL/TLS. Hosts A Records are Proxied.
    We use WPRocket for CSS & JS file optimisation.

    Stackpath CDN is integrated via WProcket with cname added to Cloudflare. DNS only.

    Any help is appreciated. Thank you in advance.

    • This reply was modified 4 years, 7 months ago by emaildblack.
    • This reply was modified 4 years, 7 months ago by emaildblack.
    Plugin Support wfphil

    (@wfphil)

    Hi @emaildblack

    As per forum rules please open your own topic:

    “Unless users have the exact same version of WordPress on the same physical server hosted by the same hosts with the same plugins, theme, and configurations, then the odds are the solution for one user will not be the same for another. For this reason, we recommend people start their own topics.”

    Forum Guidelines

    Apologies, I genuinely thought we provided enough information within our post.

    I do appreciate rules, and they do have their place. As a forum “noob”, it would appear we jumped straight in without a thought for the process. This being the first time since 2012 we have ever had to post seeking assistance, I am forever grateful.

    In reflection, we are most likely leaning towards an alternative solution. The positive prompt customer experience we received elsewhere will most likely be a deciding factor in our change of security solution, but thank you for your most helpful reply.

    Have a great day and stay safe during these unprecedented times.

    Plugin Support wfphil

    (@wfphil)

    Hi @emaildblack

    Thank you for the reply and no need to say sorry!

    Your situation is completely different to the person that started this topic, hence why www.ads-software.com prefers everyone start their own topic.

    Have a great day and stay safe yourself too.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Stackpath WAF IP Addresses Blocked for WAF-RULE-194’ is closed to new replies.