Resolved pennymachines
(@pennymachines)

3 years, 4 months ago

Hi,
When I enabled Full WAF mode, various processes outside my multisite WordPress directory were affected. For example, I could no longer delete images on a phpBB forum. When I disabled javascript and tried again, Ninjafirewall reported: “Sorry (IP), your request cannot be processed. For security reasons, it was blocked and logged.

Wordpress and phpBB are installed in two separate root sub-directories.

It is blocking other critical processes outside WP.

Is this normal? Is there an easy remedy?

For now I’ve deactivated Ninjafirewall because, having activated Full WAF, I could find no way to deactivate it.

I would welcome any advice. Thanks.

Viewing 5 replies - 1 through 5 (of 5 total)

Thread Starter pennymachines
(@pennymachines)

3 years, 4 months ago
OK, having now read the manual, I’m a little wiser…
NinjaFirewall Full WAF vs WordPress WAF mode

I also see instructions for enabling/disabling Full WAF mode.

So now I need to figure out how to tame it a bit and allow some scripts external to WP.
- This reply was modified 3 years, 4 months ago by pennymachines.
Plugin Author nintechnet
(@nintechnet)

3 years, 4 months ago
In “Full WAF” mode, all sub-directories are under the firewall protection. If there’s a third-party PHP application, it’s better to disable the firewall in its folder.
There are different methods to do that, but the simplest one would be to create a .user.ini file in the phpBB folder with the following content:
```
; BEGIN Disable NinjaFirewall for that folder
auto_prepend_file = 
; END Disable NinjaFirewall for that folder
```
The main goal here is to override the auto_prepend_file directive used by the firewall with an empty value.
If that doesn’t work, let me know and we’ll try another method.
- This reply was modified 3 years, 4 months ago by nintechnet.
Thread Starter pennymachines
(@pennymachines)

3 years, 4 months ago

Thank you so much for the advice.
Unfortunately, that didn’t work. I think my host disallows over-riding server settings with .ini
Plugin Author nintechnet
(@nintechnet)

3 years, 4 months ago
In the next version of NinjaFirewall there will be an option to manage the Full WAF mode and to exclude folders. But in the meantime, you can use the .htninja script to exclude it:
```
<?php
/*
 +===========================================================================================+
 | NinjaFirewall optional configuration file                                                 |
 |                                                                                           |
 | See: https://blog.nintechnet.com/ninjafirewall-wp-edition-the-htninja-configuration-file/ |
 +===========================================================================================+
*/

if (strpos($_SERVER['SCRIPT_FILENAME'], '/phpBB/') !== FALSE) {
   return 'ALLOW';
}
```
Replace phpBB with the phpBB folder’s name. Make sure to keep the leading and tailing / for better accuracy.

Upload that .htninja script into your document root folder, then log in to WordPress, go to “NinjaFirewall > Dashboard” and make sure the firewall detected it:
Thread Starter pennymachines
(@pennymachines)

3 years, 4 months ago

That’s got it!
Thank you again for your help, and for this excellent plugin.
Full WAF mode exclude options in the next version sounds like a good plan.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Firewall blocking processes outside WordPress’ is closed to new replies.