Firewall blocks the post/page edit on WP 4.0

Hey,

Thanks for reporting this. I’ve tested this on WordPress 4.0 RC-1 on normal wordpress, not multisite and it doesn’t seem to display this problem.

I’ll have a go at WPMS and see what’s going on there.

Can you elaborate a bit further on the “ignore administrator” not working…? What way exactly have you got it setup and using it so that that’s not working as it should.

Thanks,
Paul

Hi Paul,

I hope you’ll be able to reproduce it on the Multisite installation. I didn’t notice this immediately after the upgrade to the WP 4.0. It’s like it appeared with one of the WP automatic background updates. Maybe it conflicts with some of the plugins, but the fact is the issue disappears when I disable the Firewall’s option “Block WordPress Specific Terms”.
We’ll see are you able to reproduce the problem. I’ve just tried with the blog on the subdomain of the site’s installation (i.e. not the mapped domain) and the issue is the same. So, it’s not the domain mapping problem.

Regarding the “ignore administrator”:
Well, obviously on the Multisite you have set this Firewall’s option to consider just the Super Admins ( not the Administrators of individual blog as well). This means, if the option “Ignore Administrators” is checked the Firewall won’t block me if I try to edit the post/page as a Super Admin. To reproduce the problem you’ll have to update the post/page as an blog Admin (or some other user with lower capabilities). Alternatively, from the Firewall options, you can unckeck the option “Ignore Administrators” and you should be blocked while trying to update the the post/page, even as a Super Admin.

Hope this clarifies it.

Cheers!

I’ve just tested WP4 RC3 on WPMS and I can save draft, preview and publish on a network site and I didn’t trigger the plugin’s firewall. I can’t replicate this problem.

My feeling is here that a plugin perhaps that you may have installed is interfering here and is adding something that is triggering this… I can’t replicate it to fix it :-/

I’ve just found the solution, it blocks the data of the WP Review plugin.

This was hard to find, since even after deactivating all the plugins and switching to the default theme, Simple Firewall still was blocking the post update. Even after deleting the WP Review plugin, its data still was in the database and still was causing the firewall’s block. When I deleted the postmeta tables associated with this plugin, firewall didn’t block anymore.

I’m not sure they would be ready to fix this, since all the tables name had “wp_”. Any workaround, exclusion or something, from the Firewall point?

Thanks!

Well, I see the firewall has the Whitelist Parameters field, but I’m not sure what should I enter here. Placing just “wp_review” won’t help. And I cannot log the offending parameter:
– I’ve set the email address in the firewall settings but emails do not arrive – and built-in firewall’s log do not report anything. There’s a message

There are currently no logs to display. If you expect there to be some, use the button above to Clean/Fix them.

But after I hit the clear button, it still won’t record anything.

As I expected, WP Review’s author just confirmed that they won’t be willing to replace that prefix.
Hopefully you’ll be able to instruct me how to whitelist this.

Sorry for the delay in getting back to you on this.

With the latest release you should be able to re-enable the WordPress Firewall log and it’ll start populating. Perhaps it’ll give more clues as to what is being blocked.

Failing that, in the white list page/parameter text area, place:

post.php

That should whitelist the whole page.

Let me know if that helps.

First, thanks for the support.

Yes, Firewall log is now recording but only information I’m getting is the IP. Then I could whitelist/blacklist the IP. I’m not able to see the parameter this way.

Also placing the ‘post.php’ in parameters whitelist didn’t do the trick.
Updating the post/page won’t be blocked by Firewall only if the option ‘Block WordPress Specific Terms’ is disabled.