3.0 is conflicting with WordPress Firewall 2

Wow – Okay….

There is certainly no malicious code in WP Edit; so don’t worry about that part ??

I wish the firewall plugin provided a little more info… something like the file or line number where the error is occurring.

Can you provide me a link to the Firewall plugin you are using? I’ll download it and see if I can replicate the issue on my end.

Hi Josh,

Here is the URL for WordPress Firewall 2: https://matthewpavkov.com/wordpress-plugins/wordpress-firewall-2.html

Andy

Okay… I just downloaded the firewall plugin.. and immediately received numerous php warnings.

Specifically… I see this notice across all pages:

Notice: has_cap was called with an argument that is deprecated since version 2.0!
Usage of user levels by plugins and themes is deprecated. Use roles and capabilities instead. in C:\xampp\htdocs\src\wp-includes\functions.php on line 3495

That means it is using an older, non-supported, WordPress function… which begs the question of whether the plugin works on current versions of WordPress (we are seeing one symptom now).

Also, when I hover over “Settings” in the admin menu… there is a lot of space where an error is being shown. If you turn on error reporting in WordPress… you’ll also see these notices.

Lastly, since that plugin is not hosted on the www.ads-software.com plugin repository… I cannot be certain of it’s validity.

So… all in all…. I’d probably recommend searching for a more up-to-date plugin which has the same features.

As far as it alerting me of my plugin… I can’t seem to replicate that issue. I am able to see the WP Edit settings page (although the noticed mentioned above still appears). Also, no emails have been sent to me from my site.

I’m sorry, but I can’t seem to replicate your exact issue. My recommendation would still be to find a more updated plugin; or possibly email the author of the firewall plugin and ask if they are aware of the php notices.

This firewall works very successfully to block real SQL insertion attacks and I am a little reluctant to switch to something else, but I’ll have to look and see if I can find a better more up-to-date firewall.

Do you have any recommendations?

Thanks,

Andy

I apologize. I wasn’t suggesting the plugin wasn’t functioning properly; that’s my mistake if that is what I inferred.

I was suggesting it’s better to use plugins which are up-to-date… and not using outdated WordPress hooks and filters. My debug log fills with errors when that plugin is activated. One function being used has been outdated since WordPress version 2.0.

I’m not sure what to suggest as an alternative. I suppose if you are not noticing any server or performance issues… then you might not need/want to change.

As far as the error it is reporting.. I’m still digging into. I’ll post back when I get a little more information.

EDIT: Can you provide me the exact steps to replicate the issue?

Josh,

That’s okay, I deleted that plugin and installed Wordfence and that took care of the problem. I had not realized that that the WordPress Firewall 2 plugin was so far out of date.

The steps that I took to produce it was to go to the bar on the left and click WP Edit, or go to the plug-in menu and click on the WP Edit settings button.

Andy

Okay… here is the deal with the error.

The Firewall plugin is using code to search the url parameter and compare it with different values. Here is the code (plugin lines 190 to 203):

if(get_option('WP_firewall_exclude_terms') == 'allow') {
	$exclude_terms = array('#wp_#i', '#user_login#i', '#user_pass#i', '#0x[0-9a-f][0-9a-f]#i', '#/\*\*/#');
	foreach($exclude_terms as $preg) {
		foreach($request_string as $key=>$value) {
			if(preg_match($preg, $value)) {
				if(!WP_firewall_check_ip_whitelist()) {
					WP_firewall_send_log_message($key, $value, 'wp-specific-sql-injection-attack', 'WordPress-Specific SQL Injection');
					WP_firewall_send_redirect();
				}
			}
		}
	}
}

It is using a search pattern (preg_match) to determine if any of the url parameters match what the plugin deems “insecure”.

Since my plugin page uses the page name of “wp_edit_options”… it is matching the “#wp_#i” preg_match… thus generating the error.

This is a legitimate page… so the Firewall plugin is incorrect. You will need to disable that plugin (and find an alternative)… or adjust it’s code, and remove that “#wp_#i” from the array.

Okay thanks for taking the trouble to do that Josh. Sorry to send you on a wild goose chase.

Like I said I have removed the plug in and gone with WordFence so I’m good.

Thank you,

Andy

No worries at all ??

Thank you for taking the time to work with me.

Please have a wonderful new year.