Blocked POST request not appearing in live traffic log

  • Resolved a_henderson

    (@a_henderson)


    2 years, 3 months ago

    I have an html form on my website, which users can complete and submit.

    As well as text input fields, the form also allows sending of some attached files with the request, which is all sent to the server as a POST request.

    For a small percentage of users, when attaching a PDF file, the submission of the form is being blocked by the WordFence WAF, which states:

    “A potentially unsafe operation has been detected in your request to this site”

    However, no entries appear in the ‘Live Traffic’ view when this happens to indicate why the request was blocked. (I’ve tried ‘All Traffic’ and ‘Security Only’ modes)

    I’ve also tried putting the firewall into learning mode, and replicating a submission that would be blocked, but this doesn’t seem to help. After turning the firewall back to enabled, the request is blocked again.

    Does anyone have any pointers as to what other steps I might try, to stop these requests from being blocked?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @a_henderson, thanks for reaching out.

    When Learning Mode doesn’t help, it can sometimes indicate that forms are submitted with unique IDs in some way that would require a wildcard to be allowlisted. I know you mention it being a HTML form, but was it generated using a plugin?

    My first thought in your case would be to turn off the “Malicious File Upload (PHP)” firewall rule found in Wordfence > All Options > Firewall Options > Advanced Firewall Options > Rules. Click the “SHOW ALL RULES” button once you’re there.

    It is not uncommon for image or PDF files to contain code that looks like PHP such as <? when looked at as a string, therefore triggering the above rule as a JPG/PDF is not meant to contain PHP.

    Another rule titled “Malicious File Upload (Patterns)” will actually check the file contents rather than just whether a filetype/extension may be misrepresented, so leaving this turned on, even if you had to turn the other off will provide you with a solid level of protection going forward.

    Thanks,

    Peter.

    Thread Starter a_henderson

    (@a_henderson)

    Hi @wfpeter, thanks for your reply ??

    I’ve turned off the “Malicious File Upload (PHP)” firewall rule, and that seems to have resolved my issue. The test submission that was previously failing, is now going though a-ok. Thank you very much for your advice, clear guidance and extra info on what the rule does.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Blocked POST request not appearing in live traffic log’ is closed to new replies.