Allowlisted IP address (static) doesn’t work for long

Hi @jamminjames,

I haven’t heard of another case where Wordfence loses a user-set allowlisted IP after a period of time. I’ve heard of some hosts reinstating an IP for compatibility reasons there when a customer deletes it, but that doesn’t seem to be the case here unless you’re seeing it replaced with another?

Whilst a static IP is safer than one that may be reassigned, it isn’t recommended to put any user IPs here as it bypasses all Wordfence checks altogether. An administrator could still install something unsafe, or run a script that should’ve been blocked for example. It would be more appropriate to try finding the firewall rule or false-positive causing the blocks.

The action with the least manual involvement would be enabling?Learning Mode if PHPMyAdmin is a child-folder installation off the root of your site. That link also has a way to check your Live Traffic feed and manually allowlist the action after triggering a block. This has worked for other customers with custom PHP applications (such as Roundcube) in folders outside of their WordPress site that are still being checked because they optimized the firewall with a .htaccess/.user.ini in the root folder rather than inside the WordPress site’s folder. This means wordfence-waf.php will be told to run before any PHP application.

There’s a more detailed explanation on how to manually change it rather than relying on Learning Mode in another topic. I have linked it to avoid going too far down this route before knowing if it applies to your isntallation of PHPMyAdmin: https://www.ads-software.com/support/topic/html-emails-on-roundcube-blocked-by-wordfence/#post-17972206

I hope that helps you out,
Peter.

Thanks for the prompt reply. The IP is not being replaced. I have tried Learning Mode, did that first, and although it also works for a time, it goes back to not working again.

It’s true, this is outside of the WordPress root. That is, it is set up in its own folder on the root of the site, but just not in the WordPress folder structure. Can I use that folder name somehow in the Firewall rules? I don’t want to block it out entirely, of course, because, as you say, we want the Firewall to protect it. I figured just allowing my static IP was the safest for that reason.

Looking into the manual method you linked to, it doesn’t look like it relates to my situation, as it’s all on the same subdomain.

Following up, I went ahead and did Learning Mode again, and this time did a bunch of operations in phpMyAdmin, instead of just one or two. Then I put it back in live mode. But when I logged out, it again started blocking actions in phpMyAdmin.

I also checked for blocked visits on the “Tools” > “Live Traffic” page feed, and found the related blocks, which were like the following (changed the IP and our website domain). I did notice the IP they used was the ipv6, not the ipv4 I had used. I think the ipv6 we’re assigned is not static though. If I just hit the “Add Param” button for this, it seems like it would be too broad, since it’s for SQL Injection. How should I approach this?

MyCity, California, United States was blocked by firewall for SQL Injection in POST body: sql_query=SELECT%20*%20FROM%20%60wp_blc_links%60%20WHERE%201 at https://www.mydomain.com/goodone/index.php?route=%2Flint
8/30/2024 11:48:32 AM (12 minutes ago)
IP: 9999:88888:a77d:1a66:e47c:2b71:f64b:6f64
Human/Bot: Human

@wfpeter, what do you recommend? Thanks.

@wfpeter,?any suggestions? Is there a hook I could use in our child theme functions.php file, for example?

@wfpeter,?is there anyone else I can ask for support on this? It seems Wordfence’s user-set allowlisted IP is not working properly, and that someone should look into that. My ipv4?doesn’t change, yet the allowed list is not working for me, unless I re-save it, then it will work for a day or whatever.

I do notice from the log I posted above that that injection test uses ipv6, not ipv4. When I save the ipv4?in the allowlisted IP, does that somehow also translate to my current ipv6? Is that why it works for a bit, since the ipv6 changes, but the ipv4 does not?

So, could I, with a function hook perhaps, make it test with ipv4 instead?