David Adams

OK, and thank for the quick response! ?

Yes, this update has resolved the issue. Thank you.

Please feel free to close the ticket.

Never had GitHub props before! 1st time for everything. GitHub username is tictag. Glad I could help.

David.

Fabulous! Please feel free to the close the ticket.

p.s. A welcome improvement on the speed of responses too. Double fabulous!!

I imagine the WordPress REST API like ports on a firewall and, adopting the cyber security principle of ‘least privilege’, I would prefer to close all ports by default, then open them as required for known safe connections.

How would I ‘open a port’ for this connection?

Perhaps there are two options:
(1) If you’re hitting a particular API endpoint, I could, instead of blanket disabling the entire API system, keep the one you need active.
(2) If your connection request always contains a nonce, I could disable the API only for requests that do not contain a nonce.*

Would either of these options satisfy Wordfence Central’s connection requirements?

Note: I use MainWP to centrally manage my WordPress sites. I am not familiar with their secure connection design but I know that it works with my current configuration i.e. with the WordPress REST API disabled. If they can do it, why can’t Wordfence?

*I am not a software developer and only barely understand what a nonce is (from reading the article you linked to) but it seems that a nonce must be generated by WordPress, then used by adding it to an inbound URL request – like a shared secret. If Wordfence Central is initiating the connection e.g. do a scan, how does it get the nonce?

• This reply was modified 1 year, 2 months ago by David Adams. Reason: typo

Ahhh, very clever!! I’ve setup 2FA on one Administrator account and can confirm that 2FA is requested now. Thank you!

Please feel free to close the ticket.

I am concerned that Allowlisted URLs found during Learning Mode are too general in nature and are, therefore, allowing far more traffic through the firewall than the specific original traffic generating the rule.

In order to understand the scope of this further, the following record is recorded in nearly all of my websites:

URL: /wp-admin/admin-ajax.php
Param: request.body[editor]

… in laymans terms, what will this rule actually allow through the firewall?

I have also seen the following parameters (i.e. same URL) on some of my websites:

Param: request.body[settings]
Param: request.body[lpage_html]

The user is always me, the IP address is always mine (multiple i.e. dynamically assigned).

• This reply was modified 1 year, 3 months ago by David Adams.

Thank you for your reply. I have proven your position to be the case by noting the ‘robots’ meta-tag before and after installation and, as you say, the WordPress setting is honoured.

I will have to put this one down to a mystery!

Please feel free to close the ticket.

Thank you, please feel free to close the ticket.
David.

This is incorrect information; there is no “allowlist” feature within the Disable REST API plugin, it simply blocks all unauthenticated requests and, by default, allows unfettered authenticated access (note: via roles e.g. Subscriber, Administrator).

So I ask again, is Wordfence attempting, or rather, why would Wordfence Central attempt an unauthenticated API request?

And I ask again:
– Could it be that the original setup failed in some way?
– Is there a way to find out whether Wordfence Central is trying to authenticate?
– Should I remove/reinstate the Wordfence Central connection?
– Are there any connection logs I can review?

This is as much a security concern as it is a functional one. Wordfence, or any external API, should never be able to access my website without first proving who they are (authentication) and even that access must be controlled (authorisation). Right now, it seems that Wordfence Central is trying to connect to my website without proper authentication.

Is there a way I can give you access to my website to troubleshoot this?

This worked perfectly, thank you!

I have taken another look at this and it seems that by default the Disable REST API plugin only affects unauthenticated API requests, denying all access. By default it allows unfettered access to all authenticated requests.

I tried enabling the /wordfence/v1 API for unauthenticated access and Wordfence Central was able to connect. Disabling the /wordfence/v1 API for unauthenticated access prevented Wordfence Central from connecting. This is repeatable.

So it seems that for two of my 14 websites, Wordfence Central is trying to access these two websites without authenticating.

Could it be that the original setup failed in some way?
Is there a way to find out whether Wordfence Central is trying to authenticate?
Should I remove/reinstate the Wordfence Central connection?
Are there any connection logs I can review?

Thank you. Update applied. Please feel free to close the ticket.

There was stray ‘&&’ in there but this works perfectly!! ??

Thank you so much!

After further troubleshooting…

Within your documentation, you mention that the Query Loop block makes use of the standard WordPress WP_Query() function, which does have the ability to return a random set of posts: 'orderby' => 'rand', according to here, but the UI does not have this option.

Is it possible to modify the Query Loop query outside of the UI or maybe add this option to the UI?