REST-API appears to be blocked, even when Off

Hi!

Could you delete all entries from the black access list and try to reproduce the issue? P.S. To preserve entries you can export them to a file.

Hi Gioni,

Thanks for replying!

The Black IP Access List (in the Access List tab) had only one item. I deleted it. No difference when trying to use the Contact Form via VPN from a diff IP address that is not on the White List: unable to complete the form processing.

Now, the Activity Log shows the IP address I just used to test the Contact Form as Black listed with the following information: “Request to REST API denied IP blacklisted” exactly as I reported yesterday.

Is there a way to clear THAT list??? Can I set everything to 0 and start over?

Thank you again,
JF

Hi Gioni,

It would be helpful to get this problem resolved. Please review my reply from 6 days ago. If there is a way for me to clear up all the black lists, I can then try to install the latest plugin version. Right now, I am using version 6.1 that interferes with Contact Form 7.

Thank you again,
JF

Hi Josefus!

Does the form work if you have not enabled “Disable REST API”? Have you entered contact-form-7 into the text field “Specify REST API namespaces to be allowed if REST API is disabled”?

Please set up the plugin according to this: https://wpcerber.com/restrict-access-to-wordpress-rest-api/

Hi Gioni,

Thank you for replying.

No. The form doesn’t work when WP Carber is installed, no matter what the RESP API settings are. THAT’S WHY I posted here. Please look at the top of THIS page. My first entry details everything.

And, after you read my original request, if you also tell me how to erase all the past black list items, I will try again to install the latest version (which previously blocked my main user).

I really need your help because the user needs Contact Form 7 to word AND have security.

Thank you again,
JF

Part 1.
Go to the Tools / Diagnostic tab. Scroll down to the Database info section. Find: Table: cerber_acl. Click Delete all rows.

Part 2.
Turn off Disable REST API on the Hardening tab. Try to submit a form. Check the Activity tab. What do you see?

Hi Gioni,

I did exactly what you said, above, in the order you instructed me, and have been testing it extensively.

Unfortunately, it’s not working correctly for me. Here’s how:

1. Starting with WP-Cerber 6.1, I cleared the ACL and made sure the Disable REST API was off (THE BUTTON WAS GRAY!).

Looking at the Access List page, both Whitelist and Blacklist were empty.

2. I entered 2 IP addresses to the Whitelist, and entered *.*.*.* to the Blacklist.

2. I was able to login via the custom login URL, and so did my main user (who is far away from me).

3. I was NOT able to process Contact Form 7 messages entered via VPN from remote IP addresses–I didn’t want to use the ones from the Whitelist.

Each time I tried to use the Contact Form, and was blocked, the Activity log added the VPN IP address to the Blacklist, showing the following:

Form submission denied (in RED) and IP blacklisted (in GRAY)

Just to be sure I am very clear on this: All of the above is with DISABLE REST API BUTTON GRAY, NOT GREEN.

4. As soon as I remove *.*.*.* from the Blacklist, I am able to process Contact Form & messages.

THEN, when I updated WP-Cerber 6.1 to 6.7, I experienced the same, AND when *.*.*.* was entered to the Blacklist, I and my main user were unable to login to the site:
AS IF OUR IPs ARE ON A BLACKLIST SOMEWHERE…

My impression is that even when I clear the Access Lists, there exist a list somewhere which blocks my VPN IPs — maybe it’s an older list that is used by Cerber Labs? No idea.

AND, most importantly, it seems that in both versions 6.1 and 6.7 it matters not whether REST API is disabled, the system still blocks Contact Form 7 when I *.*.*.* is entered to the Blacklist.

I have screen shots of the various steps and would be happy to share with you, if you can provide an email address for me to send it to.

SO, right now, I can only work with the system if I don’t enter *.*.*.* which is unfortunate. I can wait a few days to see if you can help me overcome this, but eventually I need to block everyone from trying to login from all locations other than two or three IP addresses, and this is how I tried to accomplish it.

I hope this is clear. If not, please tell me.

Thank you again for your help!
JF

• This reply was modified 6 years, 10 months ago by Josefus Flavius.

The *.*.*.* wildcard is the cause. Probably I missed this point or you haven’t tell me about the wildcard. Anyway, a bug with wildcards has been fixed in the development version. Here is the solution: https://wpcerber.com/development-version-6-7-3/

Thank you, Gioni.

I installed version 6.7.3 then cleared the ACL, and then setup both Whitelist and Blacklist. But I am still having the same problem with Contact-Form-7.

When the wild-card is included in the Blacklist, Contact-Form-7 does not process (the wheel keeps turning forever). This is true whether I have the Disable REST API ON (Green) with contact-form-7 entered in the exclusion box, or I have it OFF (Grayed out).

Just as before, each time a form processing is blocked, the IP address is added to the Activity Log as follows:

IP # Form submission denied (RED) IP blacklisted (GRAY)

As soon as I remove the wild card from the Blacklist, the form works.

Also, is there a way for me to remove the IP addresses shown in the log as blocked? I am running out of VPN IP address options and I am afraid that the ones on the list will prevent me from testing future situations.

I am hoping that you can solve this so I can continue to use the plugin, which I really like a lot, but I really need to have the wild-card option available to me and be able to process the contact form.

Thank you again,
JF

That is normal. The plugin blocks all form submissions if you enter the *.*.*.* wildcard to the Blacklist. If you use a wildcard, you have to add an IP or a network or a range to the Whitelist to permit them to submit forms. Otherwise nobody will be able to submit forms on your website.

Note: only IP addresses that are show on the Lockouts tab are currently blocked. The IP blacklisted mark on the Activity tab means IP address WAS in the Blacklist at the moment when a particular event was logged (recorded). The same way the Locked out mark means IP address WAS temporarily blocked due to malicious/suspicious activity at that moment.

Thank you again, Gioni.

SO, with wildcard entered (*.*.*.*) and either

a) Block REST API not activated

OR

b) RES API activated but contact-form-7 is excluded (in the exclusion box)

I will not be able to use the Contact Forms??? Meaning, the wildcard overrides everything else, even if you specify to exclude Contact Form 7?

Thank you,
JF

Yes. Entries in the Blacklist and Whitelist have the highest priority among other security features and rules. Also note: entries in the Whitelist have higher priority than entries in the Blacklist. Read more: https://wpcerber.com/using-ip-access-lists-to-protect-wordpress/

I see. Thank you for pointing me to this.

BUT, it’s unfortunate. Of course, I understand the programability aspect of using hierarchies… But, in this case, it means that users cannot benefit from a certain combination of features.

If it could be adjusted, it would be better to offer users BOTH to have a wildcard AND allowing a certain form to be used (Contact-Form-7 in my case). And if you have a switch that allows, in effect, the RESP API exclusion (for the forms in the exclusion box) to gain a higher hierarchy *only when selected*, we could benefit from both.

Of course, I don’t know how this would complicate the operation of the plugin, but theoretically it could be done with if/then statements, as I’m sure you know… ??

Thank you again for all your help!
JF

Hi Josefus!

The plugin algorithms are developed based on best network security practices. For majority cases the hierarchical approach is optimal. On the other hand it can’t cover all possible cases. In such a case the best approach is using a bespoke solution. Actually, you should not use wildcards in your case because the plugin is smart enough to protect WordPress even with no entries in the access lists.