Server won’t connect to Wordfence, scan won’t run

Hi @globetrots, thanks for providing your diagnostic.

From the information provided, I can see that the wp_remote_post() fails with a “503: Service Unavailable” error page, suggesting that a block is being triggered when our servers attempt to connect back to this site.

I won’t post your server IP here for security reasons, but you can discover it yourself from the Wordfence > Tools > Diagnostics page under “IP(s) used by this server“. Then check to see whether that IP appears under Wordfence > Live Traffic or Wordfence > Firewall > Blocking. You can choose to “Unblock IP” from both of those screens.

This should rectify the connectivity issue when our servers attempt to re-access your site as part of the scan.

Just in case, I have also seen this come up recently where the Cloudflare firewall needed to have Wordfence IPs added to the whitelist. You may need to add these under Cloudflare’s “rules” and “tools” sections if you haven’t already. Our IPs for reference can be found here: https://www.wordfence.com/help/advanced/#servers-and-ip-range

Let me know how you get on!

Peter.

Unless there’s some kind of delay (I cleared the cache), neither of these solutions worked. The scan is still stopping almost immediately and giving an error message. Only one of the three IP addresses was blocked in Wordfence and that one was by the request of affiliate network CJ: it was making thousands of clicks on affiliate links. They said it was a malicious IP address that was impacting multiple sites, not just mine, so they were requesting affected sites to block it. So how is it connected to my own server or WordPress’?

Is this maybe a bug in the WordPress installation itself on this particular site? Do I need to uninstall and start over? As I said, I have the scans running on multiple others (including one on the same hosting platform) with no problems. And it is still blocking okay, just not scanning.

• This reply was modified 3 years, 5 months ago by globetrots.

Hi @globetrots,

Thanks for your feedback and I’m sorry to see my original suggestions didn’t work. I’m not so sure that the IP you saw as blocked is connected to Wordfence or your site, but could be wrongly reported if IP detection isn’t functioning as expected.

Just to confirm whether that is an issue, if you look up your public facing IP address at: https://www.whatsmyip.org/ and re-visit Wordfence > Dashboard > Global Options > General Wordfence Options > How does Wordfence get IPs and cycle through the options, do any of the values match it? I would expect with Cloudflare, “CF-Connecting-IP” HTTP header would obtain the correct visitor IP. Make sure to click SAVE if you do have to change this.

You may find the “How does Wordfence get IPs” section informative on: https://www.wordfence.com/help/dashboard/options/#general-wordfence-options

We’ve already had your diagnostic but could I see an output of the scan failure as this can shed more light on the specific error your site is experiencing?:

• Kill the existing scan if it is still running (The “Start New Scan” button turns in to a “Stop” button while the scan is running)
• Go to your Scan > Scan Options and Scheduling page and locate the “Performance Options”
  Set “Maximum execution time for each scan stage” to 20 on the options page
• Click to “Save Changes”
• Go to the Tools > Diagnostics page
• In the “Debugging Options” section check the circle “Enable debugging mode”
• Click to “Save Changes”.
• Start a new scan
• Copy the last 20 lines or so from the Log (click the “Show Log” link) once the scan finishes and paste them in the post.

Thanks again,

Peter.

OK, I did all that, my IP address is in there (though I’ve tried from several different ones).

Scan keeps failing, here’s the short and sweet log from the last few attempts. It only takes a second or two to fail.

[Jun 15 14:27:32:1623781652.808071:4:info] Scan process ended after forking.
[Jun 15 14:27:32:1623781652.355713:4:info] Starting cron via proxy at URL https://noc1.wordfence.com/scanp/www.hotel-scoop.com/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&scanMode=standard&cronKey=9d6d7306f95cc1f5fbc5d714c88183d3&k=dc6cabc117d1d99c6cde27848b20b7a05f3eccd74201ddeb7ced2a13045a0d308ccd9ea77ab30f1265553371fbe3b6bb049014e5a7c88e6ea6b80ac46d1145343f0558825ebf65d39896b04845b12937&ssl=1&signature=1e38f49427e2fb29ef27963237546f2042714ebd9b5cafe272ba4bade988b514
[Jun 15 14:27:32:1623781652.353251:4:info] getMaxExecutionTime() returning config value: 20
[Jun 15 14:27:32:1623781652.352735:4:info] Got value from wf config maxExecutionTime: 20
[Jun 15 14:27:32:1623781652.351550:4:info] Entering start scan routine
[Jun 15 14:27:32:1623781652.349547:4:info] Ajax request received to start scan.
[Jun 15 14:27:26:1623781646.137936:10:info] SUM_KILLED:A request was received to stop the previous scan.
[Jun 15 14:27:26:1623781646.137168:1:info] Scan stop request received.
[Jun 15 14:26:06:1623781566.488058:4:info] Calling Wordfence API v2.26:https://noc1.wordfence.com/v2.26/?k=dc6cabc117d1d99c6cde27848b20b7a05f3eccd74201ddeb7ced2a13045a0d308ccd9ea77ab30f1265553371fbe3b6bb049014e5a7c88e6ea6b80ac46d1145343f0558825ebf65d39896b04845b12937&s=eyJ3cCI6IjUuNy4yIiwid2YiOiI3LjUuNCIsIm1zIjpmYWxzZSwiaCI6Imh0dHBzOlwvXC93d3cuaG90ZWwtc2Nvb3AuY29tIiwic3NsdiI6MjY5NDg4MzE5LCJwdiI6IjcuMy4yOCIsInB0IjoiZnBtLWZjZ2kiLCJjdiI6IjcuNzcuMCIsImNzIjoiT3BlblNTTFwvMS4xLjFrIiwic3YiOiJBcGFjaGUiLCJkdiI6IjEwLjMuMjktTWFyaWFEQiIsImxhbmciOiIifQ&betaFeed=0&action=timestamp
[Jun 15 14:26:03:1623781563.011808:4:info] Calling Wordfence API v2.26:https://noc1.wordfence.com/v2.26/?k=dc6cabc117d1d99c6cde27848b20b7a05f3eccd74201ddeb7ced2a13045a0d308ccd9ea77ab30f1265553371fbe3b6bb049014e5a7c88e6ea6b80ac46d1145343f0558825ebf65d39896b04845b12937&s=eyJ3cCI6IjUuNy4yIiwid2YiOiI3LjUuNCIsIm1zIjpmYWxzZSwiaCI6Imh0dHBzOlwvXC93d3cuaG90ZWwtc2Nvb3AuY29tIiwic3NsdiI6MjY5NDg4MzE5LCJwdiI6IjcuMy4yOCIsInB0IjoiZnBtLWZjZ2kiLCJjdiI6IjcuNzcuMCIsImNzIjoiT3BlblNTTFwvMS4xLjFrIiwic3YiOiJBcGFjaGUiLCJkdiI6IjEwLjMuMjktTWFyaWFEQiIsImxhbmciOiIifQ&betaFeed=0&action=resolve_ips
[Jun 15 14:26:02:1623781562.796972:4:info] Calling Wordfence API v2.26:https://noc1.wordfence.com/v2.26/?k=dc6cabc117d1d99c6cde27848b20b7a05f3eccd74201ddeb7ced2a13045a0d308ccd9ea77ab30f1265553371fbe3b6bb049014e5a7c88e6ea6b80ac46d1145343f0558825ebf65d39896b04845b12937&s=eyJ3cCI6IjUuNy4yIiwid2YiOiI3LjUuNCIsIm1zIjpmYWxzZSwiaCI6Imh0dHBzOlwvXC93d3cuaG90ZWwtc2Nvb3AuY29tIiwic3NsdiI6MjY5NDg4MzE5LCJwdiI6IjcuMy4yOCIsInB0IjoiZnBtLWZjZ2kiLCJjdiI6IjcuNzcuMCIsImNzIjoiT3BlblNTTFwvMS4xLjFrIiwic3YiOiJBcGFjaGUiLCJkdiI6IjEwLjMuMjktTWFyaWFEQiIsImxhbmciOiIifQ&betaFeed=0&action=resolve_ips
[Jun 15 14:23:53:1623781433.544059:4:info] Scan process ended after forking.
[Jun 15 14:23:53:1623781433.092492:4:info] Starting cron via proxy at URL https://noc1.wordfence.com/scanp/www.hotel-scoop.com/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&scanMode=standard&cronKey=1dc8b22f64c932e21d609b09a0668a0b&k=dc6cabc117d1d99c6cde27848b20b7a05f3eccd74201ddeb7ced2a13045a0d308ccd9ea77ab30f1265553371fbe3b6bb049014e5a7c88e6ea6b80ac46d1145343f0558825ebf65d39896b04845b12937&ssl=1&signature=f8533b664df27f1d870bafc1fc1accd6dd19d9ee01b67e6bdbaec6c8be3730ca
[Jun 15 14:23:53:1623781433.088697:4:info] getMaxExecutionTime() returning half ini value: 45
[Jun 15 14:23:53:1623781433.088154:4:info] ini value of 180 is higher than value for WORDFENCE_SCAN_MAX_INI_EXECUTION_TIME (90), reducing
[Jun 15 14:23:53:1623781433.087630:4:info] Got max_execution_time value from ini: 180
[Jun 15 14:23:53:1623781433.087034:4:info] Got value from wf config maxExecutionTime: 0
[Jun 15 14:23:53:1623781433.085843:4:info] Entering start scan routine
[Jun 15 14:23:53:1623781433.083934:4:info] Ajax request received to start scan.

Hi @globetrots,

Please check the instructions under Scan process ended after forking in our documentation to ensure permissions and .htaccess blocks are not preventing access to the wp-admin folder. Memcache or object-cache may also need to be restarted twice if present on your configuration. Also ensure your own server IP has access to this folder.

It seems that “Maximum execution time for each scan stage” is now set to our recommended value although the earlier log information mentioned using 180 instead of 20 – but that may have been an attempt before we changed it.

If the link I’ve provided above was already attempted before contacting us, let me know and I’ll look into further steps Cloudflare sites have required in the past. However, usually the scan time along with adding our IPs to the Cloudflare whitelist is sufficient. Sometimes the site’s own IP needs to be allowed here too so I’ll provide those instructions below just in case that’s not already present, but I appreciate it might be.

• Login to Cloudflare
• Go to “Firewall”
• Click the “Firewall Rules” tab
• Click “Create a Firewall rule”
• Name the rule under “Rule Name”
• Set the “Field” under “When incoming requests match…” to “IP Address”
• Enter your site’s IP address under “Value”
• At the bottom, under “Then…Choose an action” change “Block” to “Allow”
• Click “Deploy

Thanks again,

Peter.

I added the site IP as a Firewall rule, but no change from that. Scan stops a second after starting.

I’m having a tech person check over the htaccess file to make sure nothing is off there.

This other part I don’t understand. Where would that even be to restart it twice?

“Memcache or object-cache may also need to be restarted twice if present on your configuration. “

Hi @globetrots,

Using the Cloudflare firewall rule instructions above, could you please allow all 6 IPs seen on: https://www.wordfence.com/help/advanced/#servers-and-ip-range

The immediate nature of the scan stopping sounds like an issue we’ve seen in the past where an enabled “Bot Fight” or “Bot Report” mode blocks any requests from our servers straight away.

Thanks,

Peter.

Added all six of them as Firewall rules to allow, purged the cache, and same result as always. Immediately stopped itself.

Scan Failed
The scan has failed to start. This is often because the site either cannot make outbound requests or is blocked from connecting to itself. Click here for steps you can try.

[JUN 28 21:32:02] Scan stop request received.

Also, I don’t know if this is connected, but Wordfence is sending thousands of blocked warnings that are flagging my host’s IP and my host says it’s coming from WP Fastest Cache. They advised me to turn off that plug-in (potentially slowing down my site quite a bit) to test. So does that mean what’s being flagged as bot traffic is coming from my own site/host and perhaps that’s why your scan won’t run? Why would it flag cache activity as bot traffic?

Examples from the log, all blocked by Wordfence as suspicous:

172.70.82.13 - - [29/Jun/2021:10:34:32 -0700] "GET /tag/colorado-springs-luxury/ HTTP/1.1" 503 7111 "https://www.hotel-scoop.com/tag/colorado-springs-luxury/" "WP Fastest Cache Preload iPhone Mobile Bot"
172.70.82.95 - - [29/Jun/2021:10:39:13 -0700] "GET /tag/the-broadmoor/ HTTP/1.1" 503 7111 "https://www.hotel-scoop.com/tag/the-broadmoor/" "WP Fastest Cache Preload iPhone Mobile Bot"
172.70.54.89 - - [29/Jun/2021:10:39:13 -0700] "GET /tag/colorado-resorts/ HTTP/1.1" 503 7111 "https://www.hotel-scoop.com/tag/colorado-resorts/" "WP Fastest Cache Preload iPhone Mobile Bot"
172.70.82.95 - - [29/Jun/2021:10:44:18 -0700] "GET /tag/colorado-lodging/ HTTP/1.1" 503 7111 "https://www.hotel-scoop.com/tag/colorado-lodging/" "WP Fastest Cache Preload iPhone Mobile Bot"
172.70.82.141 - - [29/Jun/2021:10:44:18 -0700] "GET /tag/colorado-springs-luxury-resort/ HTTP/1.1" 503 7111 "https://www.hotel-scoop.com/tag/colorado-springs-luxury-resort/" "WP Fastest Cache Preload iPhone Mobile Bot"
172.70.82.13 - - [29/Jun/2021:10:49:23 -0700] "GET /tag/victoria/ HTTP/1.1" 503 7111 "https://www.hotel-scoop.com/tag/victoria/" "WP Fastest Cache Preload iPhone Mobile Bot"
172.70.54.89 - - [29/Jun/2021:10:49:24 -0700] "GET /tag/vancouver-island/ HTTP/1.1" 503 7111 "https://www.hotel-scoop.com/tag/vancouver-island/" "WP Fastest Cache Preload iPhone Mobile Bot"
172.70.82.95 - - [29/Jun/2021:10:54:16 -0700] "GET /tag/san-antonio/ HTTP/1.1" 503 7111 "https://www.hotel-scoop.com/tag/san-antonio/" "WP Fastest Cache Preload iPhone Mobile Bot"
172.70.82.161 - - [29/Jun/2021:10:54:16 -0700] "GET /tag/texas/ HTTP/1.1" 503 7111 "https://www.hotel-scoop.com/tag/texas/" "WP Fastest Cache Preload iPhone Mobile Bot"

Hi @globetrots,

Yeah, the addition of your own site’s IP and our IPs to Cloudflare’s firewall should stop your outbound and inbound requests for scans being seen as bot or suspicious traffic. I do agree with you that this is why the scan isn’t starting because it’s an immediate fail as soon as communication starts, but I feel like we’ve taken the steps that normally trip us up on this kind of hosting environment.

If you believe the above logs from Wordfence to be false and know that they should be allowed, you can try loading your site with Learning Mode enabled temporarily.

Does your host run any other kind of firewall on their servers that mean they need to allow our IPs from their end? This is not unheard of that a host needs to allow us access and has been a requirement for customers before. It might also be worth mentioning Wordfence specifically in case they have a known solution.

Let me know how that goes.

Peter.

Hi @globetrots,

I’m interested in whether there was any further feedback from your hosting provider, or an alternative issue found in relation to the scans stopping immediately on your particular environment.

Thanks,

Peter.

No, zero progress still. I whitelisted the host’s generic IP address and added to the firewall rules at Cloudflare. We turned off WP Fastest Cache since its caching was what was getting the address flagged by Wordfence for some reason. None of those things helped: the scan still stopped immediately. I turned the cache plug-in back on and it didn’t make a difference either way. Any other ideas why Wordfence is blocking itself from scanning?

This is from my hosting company:

I can confirm that the Wordfence servers are NOT blocked by our network.

Just as a test, I installed a fresh copy of WordPress on your account in a temporary location and installed Wordfence (see attached screenshot) to rule out that their servers are blocked and that Cloudflare is causing issues. The scan was completed without issue.

I left the test installation in the event you want to share it with Wordfence support.

https://cheapestdestinationsblog.com/phtest377331/wp-admin/
Username: admin
Password: Qi8Yi78KaTFb`

Hi @globetrots,

I was on annual leave a couple of weeks ago and this dropped off my list by the time I returned – I just found it when manually going through the forums. I massively apologize for a delay in responding.

I don’t recommend posting credentials on the forum even if it’s to a blank site, so it might be worth disabling that now, but it’s encouraging that a new installation worked as intended to rule out a block from the server/hosting side of things.

If the scans have started running again in the meantime, please disregard. If not, I recommend considering disabling all plugins except for Wordfence and seeing if the scans start to run again. Sometimes caching plugins that need to be cleared or script conflicts having unexpected knock-on effects can be discovered this way. If the scan works with only Wordfence enabled, try enabling everything else one-by-one until the issue arises again to find the troublemaker.

As a last-resort, try making a backup of your Wordfence settings and running a remove/reset to see if you can get your main site behaving like the freshly installed one.

Many thanks,

Peter.