Firewall Sync Is Excesive

Hello Digitsoft,
under “Firewall” in WordFence menu you can disable the firewall completely by selecting “Disabled” in the “Firewall Status” drop-down-menu.

It seems like something is not right though and if you would like to figure out what it is could you please describe the situation in more detail? Where are you seeing these calls? What is the originating URL? How often are they landing? You could take a screenshot and share it here if you feel comfortable with that. Otherwise you can mail it to [email protected].

I’ve got a similar problem on one of our sites…
Only one out of 50+ installs.

It appears to be attacking itself… Our server engineer has added to .htaccess to prevent it doing that…

I’ll email you the server log!

Before I saw your post I deactivated the plugin and reactivated it and the sync problem stopped (at least for now).

I saw the calls in the apache log and the originating IP is my server’s IP.

There were approximately 45,000 hits before I deactivated the plugin.

I emailed the first 350 log lines to you just now.

I’ll dig into it further to see if there’s anything I can find.

I have htaccess configured to only allow a POST from my home ip or 127.0.0.1 on almost all sites due to attacks.

The POST commands are coming from wordfenceClass.php line 1004 and are POSTing with the server ip and not localhost. I’d have to imagine this is the cause.

When using CURL you can specify the ip with CURLOPT_INTERFACE, but after looking through the CODEX for the function it doesn’t appear it’s available.

Anyway…hopefully there’s a way to POST using localhost because I know I’m not alone in refusing a POST from anything other than localhost.

There should also be a little code added that prevents this looping call from taking down a server.

LMK if there’s anything else I can help with…

Rob

Thanks both of you, I will relate this to the devteam.

Hello again Digitsoft,
just an update. We have filed this as a bug that will hopefully be fixed by 6.1.6 release. For now you could edit your .htaccess and add the server IP there to IPs that are allowed to post.

What are you adding to the .htaccess specifically?

Thanks!

Hello brianjking,
it depends on your server configuration and your Wordfence settings. If you are not using Wordfence cache the only thing that could be added to your .htacces is a small piece of code that makes Wordfence load before WordPress. (This makes it possible for Wordfence to stop attacks before plugins and themes have loaded). It has this line

auto_prepend_file = '/home/[user]/public_html/wordfence-waf.php'

Hi wfasa,

Did this get fixed in yestrdays update?

Hello t1create,
we are still working on this issue.

I concur there’s way too many syncAttackData hits. We’re a multisite with ~1.2K blogs (if that makes any difference), and seeing ~5 hits per minute like this below. It’d be nice to be able to calm this down.

[18/May/2016:09:43:28 -0700] "POST /?wordfence_syncAttackData=1463589808.0101 HTTP/1.0" 200
[18/May/2016:09:43:33 -0700] "POST /tophatandreef/?wordfence_syncAttackData=1463589813.3117 HTTP/1.0" 200
[18/May/2016:09:43:34 -0700] "POST /?wordfence_syncAttackData=1463589814.814 HTTP/1.0" 200
[18/May/2016:09:43:35 -0700] "POST /?wordfence_syncAttackData=1463589815.3518 HTTP/1.0" 200
[18/May/2016:09:43:37 -0700] "POST /sthorlarsen/?wordfence_syncAttackData=1463589817.2177 HTTP/1.0" 200
[18/May/2016:09:43:43 -0700] "POST /?wordfence_syncAttackData=1463589823.1754 HTTP/1.0" 200
[18/May/2016:09:43:46 -0700] "POST /rachaelalexandra/?wordfence_syncAttackData=1463589826.8591 HTTP/1.0" 200
[18/May/2016:09:43:58 -0700] "POST /?wordfence_syncAttackData=1463589838.0061 HTTP/1.0" 200
[18/May/2016:09:44:07 -0700] "POST /cursewords/?wordfence_syncAttackData=1463589847.1255 HTTP/1.0" 200
[18/May/2016:09:44:09 -0700] "POST /myuviclife/?wordfence_syncAttackData=1463589849.6995 HTTP/1.0" 200
[18/May/2016:09:44:27 -0700] "POST /?wordfence_syncAttackData=1463589867.9858 HTTP/1.0" 200
[18/May/2016:09:44:39 -0700] "POST /benjaminphilipgeorge/?wordfence_syncAttackData=1463589879.4631 HTTP/1.0" 200
[18/May/2016:09:44:39 -0700] "POST /?wordfence_syncAttackData=1463589879.624 HTTP/1.0" 200
[18/May/2016:09:44:58 -0700] "POST /?wordfence_syncAttackData=1463589898.0682 HTTP/1.0" 200
[18/May/2016:09:45:05 -0700] "POST /?wordfence_syncAttackData=1463589905.4507 HTTP/1.0" 200
[18/May/2016:09:45:10 -0700] "POST /myuviclife/?wordfence_syncAttackData=1463589910.4595 HTTP/1.0" 200

I am still getting these, but as “Get” errors. My system is stopping them. Had 31 yesterday that just my error log has picked up.

403 GET Request: July 5, 2016 - 10:46 am
My Site Hosting IP address
My Site Hosting server name
/?wordfence_syncAttackData=1467733582.8526  [=number changes each time]

Thank you much.

Hello!
We had a fix that went out for this with 6.1.4.

Do you have any odd rules in .htaccess that might be preventing syncAttackData from working normally? Are you blocking all post request or something similar?

Anyone with sync attacks that has htaccess rules preventing all POSTs (like I did) AND even with the current update (it fixed this issue for me though) – you need to add 2 lines in your htaccess rules for the condition like this to allow your server to post to itself:

RewriteCond %{REMOTE_ADDR} !127.0.0.1
RewriteCond %{REMOTE_ADDR} !<your server ip>

Hello,

I would like to know if there are other known issues like that.

I am asking because I noticed some customers using latest WP (4.5.3), latest WF (6.1.10) causing an incredible amount of curl-Requests after “/?wordfence_syncAttackData” is called (which happens 6-8 times a second). (Not joking.)