Falcon Cache and InfiniteWP

Hi Matt! Based on David’s thoughts, I was thinking this was something that WF might be fixing, so I had just been standing by to hear from WF on this. There are a number of workarounds, including just switching to a different caching plug-in. Was really hoping with both developers talking, the actual problem could be discovered.

– Scott

Scott: Thanks for the quick reply! Since the testing that wfmatt did couldn’t replicate the problem exactly (I couldn’t either), it seems that InfiniteWP itself is working ok with Wordfence for us, so we would need more information to help see what is happening on your server. I haven’t seen any other reports of similar problems since the thread started, so it might be something rare.

It could be another plugin or the theme using GET requests in a strange way, or something unusual in .htaccess, or someone even attempting to send malicious requests (which may not actually be hurting anything) triggering this problem as a side effect. The access_log entries near the time of the cache file would help narrow it down, to see if the request causing the caching coming from the IP where InfiniteWP is installed, and whether it has an odd user agent, URL parameters, etc.

OK, let me re-enabled Falcon on a few sites, then I will monitor them for home page changes and try to capture the logs. Stand by.

FYI, if you search Google for IWPHEADER, there are several other sites that are either borked now, or they were borked when Google indexed them. I’ve confirmed that these sites listed in Google results are not hosted with our service.

Also, even though I have 100+ sites enabled with Falcon, and all managed via InfiniteWP, not all of them have been borked, nor are borked instantly. When this is all sorted out, I’m sure it will be an “of course” moment, but until then, I am not sure of the magic sauce that causes it for some of these customers. At one point, I had about 1/3 of my sites borked before disabling Falcon (actually I believe even if you have the basic caching, it can be borked, it’s not just Falcon)

– Scott

I can confirm that the borking happens with both caching modes.

Thanks, Bob, that is good to know too.

Scott or Bob: If you have an access_log from a site that you’re willing to share, even if the problem isn’t visible right now and you don’t know the date/time that it happened, can you send it to me at mattr [at] wordfence.com ?

@infinitewp We do check to see if the request method is GET before creating a cache file. It doesn’t matter whether the request body was URL encoded data or base64 encoded serialized data. The IWP client plugin will use whatever is in php://input, so you use GET, POST, PUT, etc as the HTTP method and still get a response from IWP back, which could be why these are being cached. I’m not thrilled about anyone being able to cache a response back from the IWP client plugin anyways, which is basically what you can do here. If you added in between lines 91 and 92 if ($_SERVER['REQUEST_METHOD'] != 'POST') return; in https://plugins.svn.www.ads-software.com/iwp-client/tags/1.3.15/init.php that should prevent a GET request with the IWPHEADER response from being cached.

I also looked at a few of the sites whose response from IWP was indexed by Google. The site 2-cent.com was amongst that list, and in the cached response it shows a list of installed plugins. Wordfence isn’t on that list. Here’s the decoded and unserialized response:

https://pastebin.com/yqzPP5Zn

Wordfence is also not on the list of installed plugins for the site that Bob picked randomly either.

https://pastebin.com/Vece2Kv6

Hi guys. Yesterday, per my previous post, I had re-enabled Falcon caching inside WordFence, on 5 of my accounts that I manage with InfiniteWP, then I started monitoring them every 5 minutes for being borked.

Just a few minutes ago, I received alerts that ALL 5 of the sites are now borked.

I am going to capture access logs now then un-bork, unless you want to see them borked.

@wfmatt, great catch to notice that the other borked sites are not running WordFence. I feel bad that I hadn’t thought of decoding those sites to see that for myself. ??

– Scott

@infinitewp FYI, at exactly the same time as all the sites were borked, I received an email from my IWP installation with the subject of “InfiniteWP | New updates available.”

I’ll be emailing @infinitewp and @wfmattr the logs shortly.

Thanks everyone for the help!!

– Scott

Just like yesterday, I received my daily “InfiniteWP | New updates available.” email from InfiniteWP, and my monitoring showed all 5 sites (that I had re-enabled Falcon caching on) as being borked. It happened at exactly the same time as yesterday. Email arrived at 10:06am from IWP. My monitor showed sites starting to get borked by 10:04am.

– Scott

FYI, I have added the code that @wfmatt suggested into init.php on TWO of the sites (the sites I emailed you about starting with har and kb1). I will see what happens tomorrow morning.

– Scott

Right on schedule, all the sites that I have enabled Falcon on, that are managed with InfiniteWP, were borked again at the same time as the last two days. HOWEVER, the two sites that I edited the InfiniteWP code in init.php did NOT get borked! So, the code fix suggested by @wfmatt seems to fix it.

@infinitewp any thoughts on this?

– Scott

That’s great that the response is no longer being cached, but it might not be a complete solution — this might stop InfiniteWP from being able to access the site. In the access logs, I could see that the request was listed as a POST, but since Matt’s code stopped the problem, that means it’s no longer seen as a POST by the time that both InfiniteWP and Wordfence see it in WordPress.

If you haven’t tested this change from wfmatt’s first post yet, it might help:
<i>The IWP admin offers a way to specify the /wp-admin/ as the URL to connect to when it talks to the IWP client plugin (Edit Site Details > Advanced > Connect Using). The Wordfence cache does not cache anything in /wp-admin/ so hopefully that works as an alternative.</i>

The team did find that any sites we looked at were running cPanel, and there didn’t seem to be any correlation with the active plugins. The access logs also showed that the response to the page was an HTTP 401, which Wordfence wouldn’t generate (I don’t think InfiniteWP does either), so this may actually be an unusual problem in cPanel. You might find something more in the cPanel logs — if I remember correctly, I think it’s /usr/local/apache/logs, but there could be quite a few to look through. If you have mod_security active, you might also find something about the ‘401’ response in WHM’s Mod Security logs.

Hi MattR. You are correct on Mod Security. Sure enough, all of the sites are hitting a rule. Even the sites that are NOT getting borked after @wfmatt’s code change, are still hitting this rule every day when the daily InfiniteWP cron runs:

2015-07-29 10:02:55
Destination: (domain name of WP site redacted)
Source: (IP of server that runs InfiniteWP script redacted)
Status: 401
Rule ID: 5000222: / POST blocked, no referer

The rule is:

Rule ID: 5000222
Rule Text:
#Deny POST to / with no referrer, safe for cust use. OK to whitelist if needed, but whitelisting this will remove certain DoS protections.
SecRule REQUEST_URI “^\/$” “deny,status:401,id:5000222,chain,msg:’/ POST blocked, no referer'”
SecRule REQUEST_METHOD “POST” “chain”
SecRule &HTTP_REFERER “@eq 0”

This rule is fairly new, so I don’t think it is the cause of the borking problem (that problem has been around a long time) BUT the borking problem did get much, much worse recently, and it might be timed to the addition of this mod sec rule.

The mod sec rule set comes from the data center (LiquidWeb). It would be interesting to see if the other sites you found borked happened to be hosted at the same data center.

As a test, I will remove this rule for all 5 sites of our test today, and see what happens tomorrow.

Regarding editing InfiniteWP to specify /wp-admin, I have not tried that, but I’m certain it would work. I just figured that we shouldn’t have to do this work around, and that others might benefit from finding a better solution not requiring workarounds. If it comes to this, by all means I will implement!

– Scott

P.S. Regarding your concern that @wfmatt’s code change might block InfiniteWP from accessing the sites… My initial tests seem to indicate that InfiniteWP still works. I am able to have it poll the sites to check for plugin/theme/core status, and I can apply updates remotely. I have not tried every feature of IWP, but the baseline stuff seems to be OK so far.

– Scott