WP 5.2 : NinjaFirewall blocks API REST wp-json calls

Hi,

Check the “Firewall Policies > Basic Policies > WordPress” section. There’s a few policies related to the REST API (“Protect against username enumeration” and “WordPress REST API”).
By default, they are disabled to prevent such issue.

Yes I saw them, they are all unchecked (no protection) and the problem remains

thanks

Did you check the firewall log? There should be a line showing the blocked attempt.

I looked at it and no, there is no line

I can access the https://www.arkanova.fr/wp-json/wp/v2/types/post URL, it does not throw any error.
Which error message is returned by Site Health: ‘The REST API encountered an error’ or ‘The REST API encountered an unexpected result’ or ‘The REST API did not behave correctly’?

Maybe it comes from one of the HTTP header policy you have enabled? Try to open your browser console during the test (CTRL + Shift + J) and check if you see any error.

Site Health says :
Error : [] cURL error 28: Operation timed out after 10001 milliseconds with 0 bytes received

Query Monitor adds :
URL : https://www.arkanova.fr/wp-json/wp/v2/types/post?context=edit
Status :
cURL error 28: Operation timed out after 10001 milliseconds with 0 bytes received
Caller :

do_action('admin_enqueue_scripts')
wp-includes/plugin.php:465
WP_Site_Health->enqueue_scripts()
wp-admin/includes/class-wp-site-health.php:88
WP_Site_Health->get_test_rest_availability()
wp-admin/includes/class-wp-site-health.php:1670

HTTP header : no problem apparently

URL de la requête : https://www.arkanova.fr/wp_33/wp-admin/site-health.php
Méthode de la requête :GET
Adresse distante : 217.182.234.5:443
Code d’état : 200
Version : HTTP/2.0
Politique de référent : strict-origin-when-cross-origin
	
En-têtes de la réponse (1,373 Ko)	
En-têtes bruts
cache-control : no-store, no-cache, must-revalidate
content-encoding : gzip
content-security-policy	: script-src 'self' 'unsafe-inli…ce.com data:; base-uri 'self';
content-type : text/html; charset=UTF-8
date : Sat, 11 May 2019 12:50:01 GMT
expires	: Thu, 19 Nov 1981 08:52:00 GMT
pragma	: no-cache
referrer-policy	: strict-origin-when-cross-origin
server: YOORshop
set-cookie : PHPSESSID=dfd394bef3ab0f846455…ure; HttpOnly;HttpOnly;Secure
strict-transport-security : max-age=16070400; includeSubDomains
vary : Accept-Encoding,X-HTTP-Method-…arded-Port,X-Forwarded-Server
x-content-type-options : nosniff
X-Firefox-Spdy : h2
x-frame-options	: SAMEORIGIN
x-xss-protection: 1; mode=block

Desactivating NinjaFirewall makes the problem disappear.

The url checked by Site Health works outside in a browser window

I hope this helps to find the clue

thank you

I looks like Site Health has the same problem as the WordPress theme/plugin editor sandbox with PHP session: https://core.trac.www.ads-software.com/ticket/43358

NinjaFirewall tries to correct the issue by hooking callbacks and writing the PHP session to disk. But it does not work in your case.
Can you try this:
1. Copy this code to a file named “whatever.php”:

<?php
header('Content-type:text/plain');
require('wp-config.php');
$url = rest_url( 'wp/v2/types/post' );
$site = get_site_url();

if ( strpos( $url, $site ) === 0 ) {
   echo "Test OK\n";
} else {
   echo "Error: cannot find the '$site' substring in '$url'.\n";
}

2. Upload it to your site over FTP and go to https://your-site/whatever.php.

Does it throw an error or ok message?

I get the following message running the php snippet :

Error: cannot find the 'https://www.arkanova.fr/wp_33' substring in 'https://www.arkanova.fr/wp-json/wp/v2/types/post'.

My site is stored in the subdirectory /public_html/wp_33. Maybe there is something missing in the /public_html/.htaccess file. Here is the current .htaccess redirect code :

#<IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteCond %{REQUEST_URI} !^/wp_33/
   RewriteCond %{REQUEST_URI} !^/wp_55/
   RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
   RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
   RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
   RewriteRule ^(.*)$ /wp_33/$1 [L]
#</IfModule>

Thank you for your time and support !

That’s the problem: the blog and REST API URI don’t match.
I just made a small change that should solve the issue:
1. Make sure you are running NF 3.9.1.
2. Download the new files from the trunk folder: https://plugins.trac.www.ads-software.com/export/HEAD/ninjafirewall/trunk/lib/utils.php
3. Over FTP, upload it to the /wp-content/plugins/ninjafirewall/lib/ folder (overwrite the current one).
4. Test with Site Health.

I apologize for the delay

The fix resolves the problem and Site Health doesn’t complain anymore, great job.

I really appreciate your support !

I wish you a nice weekend

Hello,

I have the same problem with 2 plugins, “LatePoint” and
“Web 2.0 Directory”.

Best regards

do_action(‘admin_enqueue_scripts’)
wp-includes/plugin.php:465
WP_Site_Health->enqueue_scripts()
wp-admin/includes/class-wp-site-health.php:88
WP_Site_Health->get_test_rest_availability()
wp-admin/includes/class-wp-site-health.php:1670

l’url
wp-json/wp/v2/types/post
?context=edit

If you have the same issue, download the new utils.php script that I mentioned in my previous message.

Hello,

my problem is not with ninja fiewall but with 2 plugins, “LatePoint – Appointment Booking & Reservation plugin for WordPress” and “Web 2.0 Directory plugin for WordPress”.

I replace anyway with your script in each of the libraries?

Best regards