wfmark
Forum Replies Created
-
Hi @supervinnie41 , thanks for reaching out.
Could you please do the following steps for me:
- Go to the Wordfence > Tools > Diagnostics page
- In the “Debugging Options” section, check the circle “Enable debugging mode”
- Click to “Save Changes”.
- CANCEL any current scan and start a NEW scan
- Copy the last 20 lines from the Log (click the “Show Log” link) or so of the activity log once the scan finishes and paste them in this post.
Wordfence > Tools > Diagnostic > Debugging Screenshot
This will help me see exactly what is happening when the scan fails.
Additionally, please send a diagnostic report to [email protected]. You can find the link to do so at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.
NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email
Let me know if you have any questions!
Thanks,
Mark
Hi @acurran , thanks for reaching out.
Please check and make sure that you have not blocked access to the “wp-admin” directory with a “.htaccess” file or limited access to it via another method. If you have, make sure to allow your server’s IP address to access this directory. Also, check if you have Memcache running on your server. Memcache may have to be restarted twice in order for the object cache to remove the saved Wordfence scan cronkey.
If you have already tried the troubleshooting steps above, please send a diagnostic report to [email protected]. You can find the link to do so at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.
Let me know if this helps.
ThanksMark.
Hi@webexs , thanks for getting back to us.
The Wordfence firewall has a rule turned on by default in Wordfence > All Options that checks for directory traversal attempts. Directory traversal is prevented by Wordfence matching patterns in URL requests to your site, such as “../../” that are attempts to access the directory and contents of the wp-config file, such as the database connection information that should be blocked.
If you are 100% sure that this is a false positive, you can click on the “ADD PARAM TO FIREWALL ALLOWLIST“ button on the Live Traffic Entry to allowlist it.
Let me know if this helps.
Thanks,
Mark.
Hi @alexliii , thanks for getting back to us and sorry for the late response.
As a workaround, you can enable the “Allow remembering device for 30 days” option so users don’t need to use 2FA every time when they use the same browser to sign in under Wordfence> Login Security> Settings or add the administrator IP addresses under “Allowlisted IP addresses that bypass 2FA and reCAPTCHA”.
I hope this helps.
Thanks,
Mark
Hi@binaryfabric , thanks for getting back to us.
If you haven’t had valid users complain that they have been locked out, you can leave the threshold score at 0.9 for now.
The 2FA and reCAPTCHA functionality only supported for the default WordPress/WooCommerce login and registration pages. For the checkout process, rate limiting would be the best approach.
Thanks,
Mark
Hi @thedetoureffect , thanks for getting back to us.
With Wordfence enabled, please attempt a sign up then head over to Wordfence > Tools> Live Traffic (Expand All Results) and share with us a screenshot of any live traffic entries of the failed sign ups. If there’s nothing there, it may require the Traffic Logging Mode to be changed temporarily to ALL TRAFFIC, and re-attempting the sign up to log it.
Remember to obscure the IP address and hostname on the screenshot you send us.
Thanks,
Mark
Hi@mtnweekly , thanks for getting back to us.
With time, Google should recognize that those paths are not useful to crawl.
If the issue is still persistent, could you please share a few URLs you’re seeing?
Thanks,
Mark.
Hi @jstepak , thanks for reaching out.
Can you please confirm the IP address these attacks are coming from? We have previously seen this when hosts modify core files which is common for most hosting providers.
For context, these blocks are triggered by hitting example[.]com/wp-admin/install.php, which in return generates the blocked by firewall for WordPress New Install File Probing.
These types of attacks are explained in detail here: https://www.wordfence.com/blog/2017/07/wpsetup-attack/
Please note we do not recommend blocking IPs permanently, as Wordfence is already blocking them, and attackers rarely reuse IP addresses. For more information on blocking, please check out the resources below:
https://www.wordfence.com/help/blocking/#ip-address
https://www.wordfence.com/blog/2017/11/should-permantly-block-ips/
Let me know in case you have any further questions.
Thanks,
Mark.
Hello @supervinnie41, and thanks for sharing your thoughts about Wordfence!
Are you using reCAPTCHA on your login pages? I suspect the human/bot threshold score set on your site is too high. Any “Verification Required” messages and emails are related to the message Google will send back when the user fails to be confirmed as human by reCAPTCHA checks.
We don’t receive inside information from Google about why a human may sometimes receive a low enough score to always require verification. The “reCAPTCHA human/bot threshold score” setting in Wordfence > Login Security > Settings is set to 0.5 by default. A higher threshold setting like 1.0 will cause the verification process to be more frequent as it would need to definitely be seen as a human to log in without verification. I recommend setting that to 0.5 and then using the “Run reCAPTCHA in test mode” option below that for a short time to see what sort of scores you see during your logins. You may need to reduce or increase the threshold score slightly after looking at the test mode score.
That said, this could be an issue with plugin/theme conflicts too. Double-check the browser console for red errors that might hint at issues with the reCAPTCHA on this page. If our scripts don’t load properly due to an error earlier in the loading process, this is the most common cause of such behaviour. The best way to test is to run Wordfence as your only enabled plugin and also revert to a default theme such as Twenty Twenty-Three. If you are able to log in, then re-enable your plugins and theme one by one until it breaks again to help find the cause.
Thanks,
Mark.?Hi @binaryfabric , thanks for reaching out and sorry for the late response.
Can you please confirm the “reCAPTCHA human/bot threshold score” you have set in Wordfence > Login Security > Settings? The threshold is set to 0.5 by default. A lower threshold setting like 0.3 might allow bots too often, while setting it higher like 0.6 or 0.7 might block them out. Note that sometimes valid users might be blocked out when the threshold is high.
General treatment of bots can also be set in the Rate Limiting section of Wordfence > All Options to limit how many pages visitors and automated crawlers can access your website per minute as described in this article https://www.wordfence.com/help/firewall/rate-limiting/
I would recommend setting Rate Limiting Rules to these values to start with:
It is also worth mentioning that our 2FA and reCAPTCHA features are only supported for the default WordPress/WooCommerce login and registration pages and may not work on custom versions of these pages created manually or by other plugins/themes, that is in case you are using a custom login page.
Thanks,
Mark.
Hi @anafasia , thanks for reaching out.
We have seen the Scan Engine Error: The signature on the request to start a scan is invalid. Please try again. message solved by deactivating and reactivating Wordfence or a complete plugin reinstallation in the past, so that could be worth a try. You can choose to keep plugin settings when deactivating Wordfence from the WordPress > Plugins page.
This issue has sometimes been caused by caching, so it might be good to clear any caching plugins or site caching you have enabled to see if it rectifies the issue. Also, ensure that Wordfence > Tools > Diagnostics > Debugging Options > Start all scans remotely isn’t enabled.
If that doesn’t solve the issue, please do the following for me:
- Go to the Wordfence > Tools > Diagnostics page
- In the “Debugging Options” section, check the circle “Enable debugging mode”
- Click “Save Changes”.
- CANCEL any current scan and start a NEW scan
- Copy the last 20 lines from the log (click the “Show Log” link) or so of the activity log once the scan finishes and paste them in this post.
This will help me see exactly what is happening when the scan fails. Additionally, please send us a diagnostic report from the “Diagnostics” page to [email protected]. You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.
The log plus diagnostics would give us a good amount of information to try getting to the bottom of it for you.
Thanks,
Mark.
Hi @ashoklale , Sorry to hear that you’re having problems with this.
Could you please provide us with an approximate time and date when the error occurred? You can click the “Get your Wordfence License” button again if need be.
Additionally, please send a diagnostic report to wftest @ wordfence.com. You can find the link to do so at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.
NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email
Thanks,
Mark.
Hi @scruffy1 , thanks for reaching out to us.
Can you please confirm the setting you used to block this domain?
If you want to block traffic where the referral headers come from a specific domain, please try this:
1) Go to Wordfence > Firewall > Blocking
2) Choose a Custom Pattern
3) Put *allbrands.com* for the Referrer
4) Put anything for the block reasonThis method, of course, can also be used for other IPs or referrers in the future for similar issues from other sources.
Let me know if this helps.
Thanks,
Mark.
Hi @mrg14071972 , thank you for reaching out to us.
In the past, we have had instances where Wordfence was deactivated due to a failed auto-update.
I recommend disabling auto-updates for the Wordfence plugin. You can do this on the WordPress Plugins page or under Wordfence>? All Options > General Wordfence Options and unchecking the Update Wordfence automatically when a new version is released.
To receive an email alert when a new version of Wordfence is available, set the? “Alert me with scan results of this severity level or greater” to at least “Medium” under Wordfence> All Options> Email Alert Preferences.
If auto-updates for Wordfence are disabled at the moment, please enable the Email me if Wordfence is deactivated option under Wordfence > All Options > Email Alert Preferences. You should receive an alert in the format below the next time Wordfence is deactivated.A user with username “Username Here” deactivated Wordfence on your WordPress site.
User IP: XXX.XXX.XXX.XXX
User hostname: XXX.XXX.XXX.XXX
User location: Town, Country
Additionally, please ensure your site has strong passwords for all admin accounts and enable 2FA & reCAPTCHA features. This significantly reduces the possibility of plugins being disabled by a malicious source.
Let me know how it goes.
Thanks,
MarkHi @gtcdesign , thank you for reaching out to us.
From the description above, it seems you have enabled the Immediately Lock Out invalid usernames option in the Brute Force Protection section.
Wordfence will immediately lock out anyone who attempts to log in with an invalid username when the option above is enabled. Please note that your real users may mistype their usernames and get locked out. We recommend enabling this feature for sites that have a low number of users, such as 1 or 2 administrators and/or possibly a few editors.
To disable this, access the WordFence> Firewall> Manage Brute Force Protection section and uncheck the Immediately lock out invalid usernames. Remember to save your changes.
You can also find and unblock the IP address of the users that are locked out on the Wordfence> Firewall > Blocking page. Select the checkbox next to the block entry, then click the “Unblock” button.
Just to confirm, are you using the default login flow or a membership plugin? If by any chance you are using WooCommerce please be sure to enable WooCommerce integration under Wordfence> Login Security> Settings .
Let me know if this helps.
Thanks,
Mark