Wordfence Central Connection Issues & Disable REST API

  • Resolved David Adams

    (@tictag)


    1 year, 6 months ago

    I have 16 websites, all of which have Wordfence and Dave McHale’s Disable REST API plugin (https://en-gb.www.ads-software.com/plugins/disable-json-api/) installed and activated. 3 of those 16 websites report Connection Issues in Wordfence Central – see linked screenshot below – with error:

    We received a non-200 HTTP code when connecting to your site: 401.
    The response was:
    DRA: Only authenticated users can access the REST API.

    • If I Retry Site Connection, it fails.
    • If I deactivate the Disable REST API plugin on the target site, it works and connection is re-established.
    • When I re-activate Disable REST API plugin on the target site, after some time it will re-appear in the Connection Issues page on Wordfence Central.

    So it seems like the Disable REST API plugin is causing a conflict with WordPress Central connectivity, but only on 3 out of 16 websites?

    Could you please help me troubleshoot this issue?

    My expected outcome is that all 16 websites are properly connected to Wordfence Central.

    David.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support wfphil

    (@wfphil)

    Hi @tictag

    Wordfence Central needs access to the Wordfence plugin REST API endpoint below:

    example[.]com/wp-json/wordfence/v1

    If you can’t add that endpoint as an allowlist in the Disable REST API plugin then you will need to deactivcate that plugin to be able to use Wordfence Central.

    Thread Starter David Adams

    (@tictag)

    I have taken another look at this and it seems that by default the Disable REST API plugin only affects unauthenticated API requests, denying all access. By default it allows unfettered access to all authenticated requests.

    I tried enabling the /wordfence/v1 API for unauthenticated access and Wordfence Central was able to connect. Disabling the /wordfence/v1 API for unauthenticated access prevented Wordfence Central from connecting. This is repeatable.

    So it seems that for two of my 14 websites, Wordfence Central is trying to access these two websites without authenticating.

    Could it be that the original setup failed in some way?
    Is there a way to find out whether Wordfence Central is trying to authenticate?
    Should I remove/reinstate the Wordfence Central connection?
    Are there any connection logs I can review?

    Plugin Support wfphil

    (@wfphil)

    Hi @tictag

    The Disable REST API plugin by default blocks all unauthenticated requests to WordPress REST API endpoints that it finds and then in the plugin you can add any of those to the plugin’s allowlist.

    Thread Starter David Adams

    (@tictag)

    This is incorrect information; there is no “allowlist” feature within the Disable REST API plugin, it simply blocks all unauthenticated requests and, by default, allows unfettered authenticated access (note: via roles e.g. Subscriber, Administrator).

    So I ask again, is Wordfence attempting, or rather, why would Wordfence Central attempt an unauthenticated API request?

    And I ask again:
    – Could it be that the original setup failed in some way?
    – Is there a way to find out whether Wordfence Central is trying to authenticate?
    – Should I remove/reinstate the Wordfence Central connection?
    – Are there any connection logs I can review?

    This is as much a security concern as it is a functional one. Wordfence, or any external API, should never be able to access my website without first proving who they are (authentication) and even that access must be controlled (authorisation). Right now, it seems that Wordfence Central is trying to connect to my website without proper authentication.

    Is there a way I can give you access to my website to troubleshoot this?

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Wordfence Central Connection Issues & Disable REST API’ is closed to new replies.