• Hi.
    I have to some WP sites, some public open, there Wordfence is working fine, some which are partly reachable from the internet (some parts are blocked, directory wp-admin included), and the rest are internal only. With all the partly and full blocked from outside, Wordfence is not working, because for a scan it is needed to get the command from the Wordfence Server (noc1).
    Ok, you do your license controll and collect some statistics an this way, but normally it is not needed to control all the scans from the Wordfence server.

    Please don’t do this:
    WP site send request to Wordfence =>> Wordfence system will check license =>> Wordfence server start scan by deep link to WP site
    You can do it on this way:
    WP site send license check to Wordfence =>> WP site start scan

    Last is also the better way to control your licenses. Because, now I start my scans from the server who is hosting the site. The URL to do this was easy to find.

    @all: please don’t ask me for the link to start the scan from local machine. First Wordfence should have some time to redesign this plugin to do this by design.

    I use Wordfence 5.3.3 and with some versions before, it was all the same.

    Thanks for support,
    Regula.

    https://www.ads-software.com/plugins/wordfence/

Viewing 3 replies - 1 through 3 (of 3 total)
  • First off, I think you misunderstand what we are doing when we connect back to our servers. One of the number one reasons sites are exploited or hacked is not updating wordpress core files, plugins, and theme. We have a mirror of the official wordpress repository of those things on our server. I suppose we could download every plugin and theme version to your server to completely make it self standing but if someone isn’t updating your plugins and themes already odds are they won’t update that either. Licensing is only a small part of what goes on. We’re also looking for specific exploits and signs pointing to various hacks that are known. Security vulnerabilities are outed every day. Can you imagine the amount of updates you would have to do almost every day just to stay current?

    Personally I have a large company I manage sites for. At least 15 are internal only with 10.X.X.X addresses, however I have yet to have an issue running a scan.

    Please check firewall, etc. Maybe look for plugins that are causing an extra security layer, etc. Since they are internal, I assume that granting temp admin access is out of the question. Do a connectivity test (bottom of the options page) and paste here. A copy of the error logs with errors specific to wordfence and noc1 might be good too.

    Thanks

    tim

    Thread Starter plablub

    (@plablub)

    Hi Tim.

    Thanks for response, but you have not to explain yourself. Be sure, I know a few about your business. I know some more about IT infrastructure, but a few about public internet services.
    Now we will have a deeper look to site which is on a public system (85.x.x.x) without a firewall in front, but a .htaccess configuration which restrict the access from the public internet (“require valid-user”).

    List of plugins at this WP site:
    Wordfence Security
    WP Overview (lite)
    nothing more, is only a test site.

    Configuration:
    Key type [free Key]
    Enable debugging mode [no]
    Disable Wordfence Cookies [yes]
    Start all scans remotely [no]
    Disable config caching [yes]

    connectivity test to Wordfence servers:
    DNS lookup for noc1.wordfence.com returns: 69.46.36.8
    STARTING CURL http CONNECTION TEST….
    Curl connectivity test passed.
    STARTING CURL https CONNECTION TEST….
    Curl connectivity test passed.
    Starting wp_remote_post() test
    wp_remote_post() test to noc1.wordfence.com passed!
    Starting wp_remote_post() test
    wp_remote_post() test to noc1.wordfence.com passed!

    === Test 1 Start ===

    Now I start a scan manually… and…
    result from “Scan Summary” window:
    – nothing – still empty window –

    result from “Scan Detailed Activity” window:
    – nothing – still empty window –

    === Test 1 End ===

    Now I do some changes at the config pane:
    Enable debugging mode [yes]
    Start all scans remotely [yes]

    === Test 2 Start ===

    Now I start a scan manually… and…
    result from “Scan Summary” window:
    – nothing – still empty window –

    result from “Scan Detailed Activity” window:
    [Nov 25 12:03:19] CURL fetching URL: https://noc1.wordfence.com//v2.14/?v=4.0.1&s=http%3A%2F%<mysite.tld>%2F<WPdir>&k=<freeKey>&action=ping_api_key
    [Nov 25 12:03:48] Ajax request received to start scan.
    [Nov 25 12:03:48] Entering start scan routine
    [Nov 25 12:03:48] Got value from wf config maxExecutionTime: 22
    [Nov 25 12:03:48] getMaxExecutionTime() returning config value: 22
    [Nov 25 12:03:48] Starting cron via proxy at URL https://noc1.wordfence.com/scanp/<mysite.tld>/<WPdir>/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&cronKey=<cronKey&gt;
    [Nov 25 12:03:50] Scan process ended after forking.

    === Test 2 End ===

    But in the httpd server log, there I see the reason why the job is not starting:
    scan1 “GET /<WPdir>/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&cronKey=<cronKey> HTTP/1.1” 401 “Wordfence cron”
    scan1 “GET /<WPdir>/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&cronKey=<cronKey> HTTP/1.1” 401 “Wordfence cron”
    scan1 “GET /<WPdir>/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&cronKey=<cronKey> HTTP/1.1” 401 “Wordfence cron”
    scan1 “GET /<WPdir>/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&cronKey=<cronKey> HTTP/1.1” 401 “Wordfence cron”
    scan1 “GET /<WPdir>/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&cronKey=<cronKey> HTTP/1.1” 401 “Wordfence cron”

    And this error appears at all possible configurations. So. I have some questions:
    – why is this job not linked to the WPcron itself
    – why do you do a deep link to a directory which is recommended to be secured with a .htaccess file
    – why do you not show a link at the config pane to configure a job who can do this on the local machine
    – why do you security promise, but a dependency created which brings a security risk

    last I will explain: if someone disconnect your servers and/or from the internet (is not as hard to realize than most think of!) all the WP sites which are secured by Wordfence do not recognize this or don’t scan their site any more. then they can be all manipulate without any message from the Wordfence service.

    You should think about the design, you can still deliver all you service, but with a few changes you will raise the level of security.

    But the one and only, wherein I’m interessted in: how to install a WP site with Wordfence inside a secured by .htaccess file directory?

    Thanks for support,
    Regula.

    By any chance are you blocking the wp-admin folder? Or access to the admin-ajax.php file?

    tim

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘blocked by .htaccess/firewall (http error 401)’ is closed to new replies.