WP Migrate Lite triggering WAF rules **a warning**

  • Resolved cptwillard

    (@cptwillard)


    4 months, 3 weeks ago

    About a week ago I started using WP Migrate Lite to move my site into Local for offline editing.

    Our Static IP was immediately blocked (not that we knew it then). This started a long saga and pitched battle with the admins at our hosting provider to get them to recognise that their claims that our IP was on a global block list at the behest (of all things!) our own ISP. The battle could well have proved fruitless as they were completely intransigent as the tried in vain to remove us from the list, eventually using up all their firewall provider requests.

    They would remove us and then we’d immediately be re-added whenever we tried to use WP Lite Migrate.

    They were so dumb that couldn’t figure out how to whitelist our address on their own servers to fix problem permanently and they couldn’t recognise that we were continually triggering their firewall causing our IP to be blocked from all our services – email hosting, WP, Cpanel… the lot.

    Eventually, they let slip the firewall provider they use and I was able to setup trial account to get access to their console to see what was going on. We were on 1 user’s challenge list. I later spoke to one of their tech support guys who gave me more details of the incident report and confirmed exactly what I suspected; it was their challenge list; theire servers had thrown us on it. Now our IP is blocked by anyone that uses that distributed firewall including seemingly the entire Ubuntu repository ecosystem.

    I thought it was important that folk were aware that this is a possibility. HMU offline if you need more details of the WAF rule and other parties involved.

    • This topic was modified 4 months, 3 weeks ago by cptwillard.
Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Support Delicious Brains Support

    (@dbisupport)

    Hi @cptwillard!

    WP Migrate Support Team here. Thanks for reaching out with your query! We would be happy to assist.

    Firewalls can cause issues during migrations by potentially rate-limiting or blocking WP Migrate requests, which may result in failed migrations.

    The best way to migrate to a site running a firewall is to avoid the firewall altogether, if possible. However, these guides might help improve your chances of success:

    https://deliciousbrains.com/wp-migrate-db-pro/doc/firewall-plugins/

    https://deliciousbrains.com/wp-migrate-db-pro/doc/modsecurity/

    Regarding your IP address being included in the “Challenge List,” is it possible to appeal for its removal? Please feel free to share additional information here, just make sure to omit any sensitive info.

    Thread Starter cptwillard

    (@cptwillard)

    It was in the pull stage, not the push. (Getting files for Local staging).

    From what I can gather, trying to pull down the WP Core files triggers a firewall rule that can make your hosting provider automatically put your ISP IP address on their challenge list (which is globally distributed) without any warning at all.

    I kept complaining of losing connectivity (email, WP, cPanel the lot while the site stayed live) whenever I tried to connect over my static IP (challenge-listed).

    It ended up in a big mess because as far as their sysadmins were concerned it wasn’t their systems that were triggering the block (it was), so they would repeatedly lodge a request to remove me from the distributed challenge list, my IP would be unblocked temporarily and then I’d be re-added each time that I retried the offending operation (including core files in the migrate profile). They eventually got their own requests blocked after lodging too many. Great.

    Eventually, they smugly satisfied themselves that it wasn’t their problem and that something else was causing me to be put on the challenge list “beyond their control”. All that they had to do was whitelist my IP, but they refused, sticking to their guns and telling me to check that I didn’t have malware on my site (which was still live so der) or on my home access PCs (Guh). Eventually we checked with our ISP and they confirmed that we weren’t blacklisted anywhere by them.

    My hosting provider lit slip in a screenshot who their FW provider was and I started reasearching their firewall system. Then I installeld it on a Linux box to see how it worked. I eventually had a support guy reach out and I explained the situation and he looked at the detailed incident logs and proved unequivocally what I was saying was true – their servers, my IP and my domain were the only end points involved.

    So you can get blocked without and warning at all just for using a simple tool if your hosting providers are incapable of logic or using their own software.

    I have a new static IP now and another workaround so I don’t care. After 5 days battling with arrgoant tech admins, I’m done. Last I heard, they referred the case up to their upper tiers after I forwarded a screen shot of my correspondence with their firewall provider with them. Somebody on the chain apparrently said “err…yeah that’s actually possible”. lol. And der.

    Anyway, you can probably tell I’d rather scrub my body with fire ants than help them anymore. But I thought you guys might be interested.

    • This reply was modified 4 months, 3 weeks ago by cptwillard.
    • This reply was modified 4 months, 3 weeks ago by cptwillard.
    Plugin Support Delicious Brains Support

    (@dbisupport)

    Hi @cptwillard ,

    Thanks for that detailed explanation. I hope it helps others when they experience a similar issue.

    We have received tickets before on how WP Migrate’s continuous server requests could trigger some security plugin or software to block the requests. One thing we suggest to our Pro users is to increase the “Delay Between Requests” to 1 second, so that it would be slow enough not to trigger a firewall on the other server. However, this feature is only available on the Pro version of WP Migrate.

    Let us know if you have any other questions!

    Thread Starter cptwillard

    (@cptwillard)

    It’s interesting that you say that because my workaround is to use mobile data via mobile hotspot on my phone.

    I thought it was because the firewall treated IPv6 addresses differently. But it might have more to do with the way mobile data is delivered.

    As to your comment about additional questions…

    May I have a pro version of the migrate tool for free for testing purposes. I’ll share the results of the delay here.

    Plugin Support Delicious Brains Support

    (@dbisupport)

    Hi @cptwillard ,

    We don’t offer a free version of the Pro plugin, but we do offer a 100% No-Risk 60-Day Money Back Guarantee. If for any reason you are not happy with our product or service, simply let us know within 60 days of your purchase and we’ll refund 100% of your money.

    https://deliciousbrains.com/wp-migrate-db-pro/pricing/#guarantee

    Let us know if you have any other concerns.

    Thread Starter cptwillard

    (@cptwillard)

    Wouldn’t the smarter thing to do be to provide the delay feature in the free version so as not to have someone run into the problems I have? Who would upgrade to Pro if they kept hitting this problem?

    Plugin Support Delicious Brains Support

    (@dbisupport)

    Hi @cptwillard ,

    We appreciate the feedback. I will notify our product team of this feature request, so that they can consider this for a future version of WP Migrate Lite.

    Let us know if you have any other questions.

Viewing 7 replies - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.