CIDR Whitelist – Feature Request

Also please bear in mind this:

An error occurred

Please make sure you separate your IP addresses with commas. The following whitelisted IP addresses are invalid: 94.46.[144-159].[0–255]

94.46.144.0/20 is a CIDR that needs converting for MaxCDN to work with wordfence. However wordfence does not allow 94.46.[144-159].[0–255] so that is a lot of entries I need to add to get it to allow this range – MaxCDN uses a fair few of these large ranges of IP addresses.

So I really hope you can address these issues soon.

Thanks for the feedback — I will submit this to the dev team.

In the meantime, the issue with the IP address above is that one of the hyphens isn’t a real hyphen — it’s hard to see, but one of them is slightly longer. If you delete that dash and manually type a hyphen in its place, it should work.

Unfortunately, since MaxCDN passes any request from any visitor, the “fake google crawler” is probably a bot that is scanning your site through MaxCDN — whitelisting MaxCDN’s IPs will let scans like that happen, since the IP address won’t show the bot’s IP. The same goes for brute-force login attempts. (They may have options now to block certain patterns, to help prevent this. It has been a year or so since I have seen their available options.)

-Matt R

Hi there, thanks for the prompt response.

This is part of a reply about te same issue from MaxCDN

Since Google is searching through your website and in your source code there are CDN links, when a file which is not in CDN cache is requested, our servers will reach out to your Origin server for those Google requests to fetch that file and that is the reason why the IP of our server being shown on your end.
> >
> >You can enable XFF (X-Forwarded-for HTTP Header) under Pull Zone -> Settings tab -> Edge Settings and in that way identify the IP of the client which is connecting to your Origin server.

You raise an interesting point re thewhitelist.

I’ve enabled XFF headers on the MaxCDN side, but am wondering if Wordfence supports/identifies these XFF headers?

Thanks,

Chris

You should contact MaxCDN support and they will give you a separate set of IP addresses to use so Wordfence will accept them.
https://www.maxcdn.com/contact/

Use the email option on the bottom right.

Thanks.

@chrisscottuk: Currently, Wordfence only supports X-Forwarded-For in situations where every request contains that header (typically for reverse proxies), so I have entered a feature request for supporting this type of setup for CDNs, where it is only valid for specific IPs. It can’t be used currently, because visitors to the main domain would be able to change their apparent IPs at will. The reference number for this request is FB1080. I can’t say when or if it will be implemented, but all requests are considered carefully.

To prevent blocking visits from Google that come through MaxCDN in the meantime, you can disable the option “Immediately block fake Google crawlers” on the Wordfence Options page. You may also want to lighten some of the other rules in that section of the options if you have made them strict, since multiple visitors will be counted as arriving from a relatively small number of MaxCDN IPs, and keep the blocking time in “How long is an IP address blocked when it breaks a rule” relatively short. (The default is quite short, and it is adequate for most purposes.)

Thanks for reporting the issue, and let me know if you have any questions!

-Matt R