Unable to access All Options – 302 redirected to main domain

  • Not sure if this started after the recent update was applied, but I’m no longer able to get to the All Options page in WF. When I click on that link I get issued a 302 redirect to my main domain. The link wp-admin/network/admin.php?page=WordfenceOptions does seem to be working. Now I don’t know if this is due to a block rule I have in place that is now catching these things or if something else has cause it to break.

    My first indication something was wrong was I got a site health alert that rest api was getting an error:

    REST API Endpoint: wp-json/wp/v2/types/post?context=edit
    REST API Response: (403) Forbidden

    So I assumed I had a rule in place that was blocking it and went to check it out and found the issue trying to get to the options.

    I don’t know the DB structure to look in the tables to check/remove rules to see if that is what caused it or if something with the update is the problem.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @drgonzo3000, thanks for getting in touch.

    Have you installed Wordfence on a subsite of a multisite? I wasn’t sure, but just wondering about the /network path.

    I’ve not heard of a temporary redirect for Wordfence’s All Options page before, so a diagnostic would be helpful. You can send one to wftest @ wordfence . com from the link at the top of the Wordfence > Tools > Diagnostics page. Click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

    NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

    Thanks,
    Peter.

    Thread Starter drgonzo3000

    (@drgonzo3000)

    @wfpeter Diagnostic report has been sent.’

    WF is installed at the network level, not on an subsite. Was installed through the normal WP plugin page not manually installed.

    • This reply was modified 10 months, 2 weeks ago by drgonzo3000.
    Thread Starter drgonzo3000

    (@drgonzo3000)

    I did some testing by removing blocks from the .htaccess file to see if anything added there was causing the redirect. After removing every single line, including the default WP code to handle the url rewrite rules I found that the all options link now goes to a 404 page. Only this link does that. all of the other links in the WF sidebar work.

    I also flushed out the bannerURLs in the wp_wfconfig table to ensure none of the entries I added in there were actually causing an issue. Corrected nothing.

    I’m having the same issue on my site – any time I click on “All Options”, it takes me to a “404 Not Found” page. I’m also not using multisite, and I’ve been using WordFence for three and a half years without encountering this problem.

    For the original author of this thread and anyone else in the future who stumbles across this, I figured out that Apache ModSecurity was triggering on rule id #390149 with the message “Atomicorp.com WAF Rules: Possible remote shell or bot access denied” any time I tried to go to the Wordfence “All Options” page. I’ve added an exception to this rule to the ModSecurity whitelist and I’m going to restart apache this weekend when my site traffic is lower to see if it resolves the issue.

    Thread Starter drgonzo3000

    (@drgonzo3000)

    Adding an exception to ModSecuity is not really a solution, it’s a workaround that could expose a security risk. @wfpeter needs to find out why Wordfence is triggering the security rule to begin with and correct the problem.

    Endymion00

    (@endymion00)

    I ran across the same issue, but existing sites load fine, it was only a new install that wouldn’t let me load the pages and since it’s not just WordfenceOptions that gets block, but other similar Wordfence pages, this is the exception I went with in my modesec2.user.conf file that keeps the focus narrow so the rule still applies elsewhere. 90520 is a custom id, so you can use your own preferred ID if you have a conflict.

    # Wordfence Options
SecRule REQUEST_URI "/wp-admin/admin.php\?page=Wordfence" \
  "id:'90520', \
  phase:2, \
  t:none, \
  nolog, \
  pass, \
  ctl:ruleRemoveById=390149"
Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Unable to access All Options – 302 redirected to main domain’ is closed to new replies.