Wordfence blocks REST API for bot

  • Hi,
    I’m working on the plugin that will allow our users to insert posts from a SaaS application by single click.

    The case is, that when the Wordfence is active, it is blocking the request.

    We tried multiple solutions found on the web:
    – Turing firewall into learning mode
    – Disabling firewall
    – Disabling bot protection
    – Whitelisting IP (SaaS have dynamic IP, so this is not good long term solution for us anyway).
    – Whitelisting URLs

    But in live traffic, we still see our requests as bot request that is blocked with error message 401, what we checked in server logs.

    When we turn off the WordFence everything is working fine.

    We are using standard REST API with POST method and single content parameter.

    Do you have any suggestions for us?

    Best Regards
    Mark

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @xingupl, thanks for reaching out to us!

    When you receive the 401 Unauthorized in Live Traffic, are you presented with the possibility to, “ADD PARAM TO FIREWALL ALLOWLIST“? Try clicking it and attempting to send data again if there is. If not, what is the reason given for the block when you expand the entry by clicking on it (or the “eye” icon)?

    The reason could be key to whether a setting needs to be changed, or a specific firewall rule is intervening.

    Thanks,

    Peter.

    Thread Starter Mark Winiarski

    (@xingupl)

    Hi,
    yes, we tried that. This is the image of log in Live Traffic:
    https://a.tmp.ninja/lmlNWAVO.png

    Plugin Support wfpeter

    (@wfpeter)

    Hi @xingupl,

    Normally for a failed/blocked connection, the part you’ve redacted would say something like, “was blocked by firewall for Known malicious User-Agents” and present with a red dot on the left-hand side of the entry.

    Wordfence cares more about the behavior of a human/bot being malicious, rather than assuming all bots are bad by default. It looks like in this case Wordfence may not actually be blocking it, just detecting the traffic hitting your site. I could be wrong, but can’t see any evidence that’d show me in the screenshot.

    It could be worth altering your Rate Limiting settings to our recommended values to see if it helps:
    Rate Limiting Screenshot

    • If anyone’s requests exceed – 240 per minute
    • If a crawler’s page views exceed – 120 per minute
    • If a crawler’s pages not found (404s) exceed – 60 per minute
    • If a human’s page views exceed – 120 per minute
    • If a human’s pages not found (404s) exceed – 60 per minute
    • How long is an IP address blocked when it breaks a rule – 30 minutes

    I also always set the rule to Throttle instead of Block. Throttling is generally better than blocking because any good search engine understands what happened if it is mistakenly blocked and your site isn’t penalized because of it. Make sure and set your Rate Limiting Rules realistically and set the value for how long an IP is blocked to 30 minutes or so.

    Throttling rather than blocking outright may have a positive effect on your plugin.

    Thanks,

    Peter.

    Thread Starter Mark Winiarski

    (@xingupl)

    Hi,
    thank you for feedback and proposition, unfortunately it is not working for me. If I set this like you proposed, or set no limit, or even disable whole Rate Limiting still have the same result.

    Case is, that no matter how I set up WordFence I have this issue. Even if I disable all features that I can disable, the issue is still there, but if I disable WordFence as a plugin, all issues are gone and everything is working like it should.

    I didn’t have anything like this before, and completely not understand this, as when I will disable all features WordFence have, this should have similar effect to disabling plugin, right?

    It is a standard WordPress REST API endpoint. Nothing special about that. I authenticate it by capability and application password. Capability and role are custom one.

    The issue occurs not only for me, but for the few of our clients, where the pattern is the same. No matter how they configure, WordFence request is blocked. If they temporarily disable WordFence, the API is working.

    Thanks again for your help,
    Mark.

    Plugin Support wfpeter

    (@wfpeter)

    Hi again @xingupl,

    Sorry to hear the problems connecting to the REST API are continuing. Could you send me a diagnostic report from the affected site so I can test the API endpoint(s) myself? It just makes it easier than having to publicly state your domain.

    You can send a diagnostic report to wftest @ wordfence . com by finding the link to do so at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

    NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

    Thanks again,

    Peter.

    Thread Starter Mark Winiarski

    (@xingupl)

    Hi,
    thank you for your help. I sent the diagnostics as suggested.

    Thank you.
    Mark.

    Thread Starter Mark Winiarski

    (@xingupl)

    Hi,
    I was able to find the solution. As I mentioned, I was using REST API using Application Password, and WordFence by default have enabled option to block using Application Passwords in Brute Force Protection section. Disabling this option solve my issue.

    Thanks for your help, have a good day!

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Wordfence blocks REST API for bot’ is closed to new replies.