Wordfence and WebP Express

  • Hi ! I have a problem with the operation of the WebP Express plugin and Wordfence. Wordfence blocks all conversions of images to WebP format when the user visits the site. This generates a lot of errors in the “Live traffic” tool.
    For example: “Blocked for Directory Traversal in query string: xwp-content-rel-to-we-plugin-dir = x ../../”

    Do you have a solution to whitelist or otherwise the functions of the WebP Express plugin ?

    Thanks in advance !

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @grafikx, thanks for getting in touch.

    The directory traversal protection is being triggered from Wordfence > All Options > Advanced Firewall Options > Rules > lfi Directory Traversal. This switch would be on by default and these actions are getting caught by the WAF.

    I would first try Learning Mode to teach the firewall that the actions of the WebP Express plugin are normal which should allowlist its method of loading but let you to keep directory traversal turned on to catch other malicious actions.

    From the Wordfence Dashboard click on Manage WAF. Then you will see Basic Firewall Options > Web Application Firewall Status. Change the option to Learning Mode. Now perform actions that were causing issues such as viewing pages where WebP Express will be actively running. This will help Wordfence learn that these actions are normal and it will allow them in the future. After you have finished performing the actions, switch the WAF from Learning Mode back to Enabled and Protecting. Now test to see if the plugin works correctly under normal circumstances.

    Thanks,

    Peter.

    Thread Starter Grafikx

    (@grafikx)

    Hi @wfpeter !

    Thanks for quick response !
    That’s what I had thought about but I preferred to have your opinion before testing the Learning Mode in this specific case. ??

    I will test this soon.

    Thanks for your help !

    Thread Starter Grafikx

    (@grafikx)

    Hi !

    It works with the learning mode but only if I take care to visit all the pages where there are images. If I reactivate the firewall and go to pages that I did not see during learning mode, the images are not displayed because they are blocked by the firewall and they are therefore not converted to WebP format by the plugin.

    Wouldn’t there be an easier solution to allow the conversion of images to WebP format with this plugin?
    Because moreover, it created a huge list for me in the “Allowlisted URLs” section. ??

    Thread Starter Grafikx

    (@grafikx)

    Moreover, in the configuration of the plugin, if I perform the 3 tests with the firewall activated:
    1. Enable direct redirect to existing converted images? Works
    2. Enable redirection to converter? Failed
    3. Create webp files upon request? Failed

    If I switch to learning mode, all 3 work.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Wordfence and WebP Express’ is closed to new replies.