Wordfence and Caching Plugins

  • Resolved dimal

    (@dimalifragis)


    1 year, 7 months ago

    Hello.

    It seems that if a WordPress site uses ANY caching plugin, Wordfence FAILS to work right.

    It is very very simple to test, using the Live Traffic or use advanced block with a custom rule and test it.

    Since MOST of WP sites use some caching plugin, i find it hard to understand why some warning or some information about is not posted anywhere. This is a major security issue and i bet most webmasters have NO ideas what is really happening.

    Here is a post saying that Wordfence WORKS right with caching plugins

    https://www.ads-software.com/support/topic/wp-fastes-cache-and-rate-limiting/

    But it DOESN’T. Not only for Rate Limiting but also for general firewall protection.

    Thank you

Viewing 10 replies - 1 through 10 (of 10 total)

  • Thanks for reaching out.

    Is your FIREWALL optimized like we answered in that FORUM topic?

    OPTIMIZING the FIREWALL allows it to load BEFORE WordPress does, which means that the blocking WOULD work.

    Mia

    Thread Starter dimal

    (@dimalifragis)

    Hello. Yes Optimized (auto prepended).

    Thread Starter dimal

    (@dimalifragis)

    Also tested with Litespeed cache (uses mod_rewrite mode), WP SUpercache (uses php mode in Easy Default mode), Fastest Cache (tested with both php and mod_rewrite mode). Same results. Tried also PHP 7.4.x and PHP 8.0.x.

    I also installed a fresh WP 6.2 on a staging site, with no plugins or other things, and the issue is also there.

    This seems to be the case for me, too. My Wordfence is using “extended protection”. WP Super Cache is in “expert” mode. In the htaccess file, WF’s block is first, then WPSC’s, and finally WP’s.

    I tested by turning on “all traffic” and including my (logged-in user) own for Wordfence’s live traffic. Then I went to another browser and went back and forth between two stories that I knew were cached. Neither of them was logged by WF, only as referrers to the Ajax-loaded feed in the sidebar.

    Then I deleted the WPSC cache and loaded the stories. They were now logged by Wordfence. Then I went back and forth among them again (now that cached copies would have been created), and they were not logged.

    I suppose the fact that the ajax-loaded feed in the sidebar is still logged on cached pages means that in my setup Wordfence would still catch bad actors. Also, each cached file is set to persist only 1 hour, so there’s still a good chance that bad actors would get a noncached file.

    Thread Starter dimal

    (@dimalifragis)

    @ericr23 Can you try to use WPSC in EASY mode (php) and clean your .htaccess from WPSC stuff?

    Then ENABLE Late INIT in WPSC, clear caches and test again?

    That appears to work! Each reloading of a post is logged.

    I tested it in WPSC “expert” mode, too, and it did not work.

    Thread Starter dimal

    (@dimalifragis)

    yeap, appears to work for me also BUT still Rate Limiting doesn’t.

    This is POOR TESTING and also a huge risk for people that use Wordfence and ANY caching plugin. People think they are protected but they are NOT.

    And that from a 4million installations plugin ??

    Thread Starter dimal

    (@dimalifragis)

    @ericr23 Use only Caching plugins that use PHP mode and NOT mod_rewrite. mod_rewrite mode happens earlier than WordPress (in .htaccess) so the cache is already served to the visitors.

    Use WP Super cache in easy mode, Comet Cache or the great fork Rapid Cache or Fastest Cache. Fastest cache needs some directive in wp-config to switch to php mode, since as it is (default) uses mod_rewrite.

    Also “late init” in WP Super Cache (“Display cached files after WordPress has loaded”). (I tested easy/simple mode without late init.)

    Thread Starter dimal

    (@dimalifragis)

    I’m curious if we get a clear reply from their support here. A CLEAR reply.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Wordfence and Caching Plugins’ is closed to new replies.

Tags