wfmark

Hi @jakeparis , thank you for reaching out.

Unfortunately, it is not possible to use a different database for firewall data only as the connection information is pulled from wp-config.php. The tables used are expected to be the same both at the Wordfence Application Firewall level and the WordPress level.

The option to define WWAF constants should be used when your database settings cannot be read automatically from wp-config.php.

By default, Wordfence stores firewall data in ~wp-content/wflogs/. The option to use an alternate database makes it possible for sites to store firewall data in the MySQL database instead.

Please note that we only recommend using this option if your site is unable to read and write to the firewall files consistently, or if your host uses multiple web servers that do not share the same filesystem, since better performance and efficient resource usage are likely when using the default file-based storage on most hosts.

Let me know in case you have any further questions.

Thanks,

Mark

Hi @arsah , thanks for reaching out.

I tested IP-blocking on my end, and it is working as expected. Did you block the IP via the Wordfence > Firewall > Blocking > IP Address section?

If so, can you please confirm that you have blocked your public-facing IP address? It should be the same as the IP listed here – https://whatsmyip.com/ on the device you’re using to access the site.

If your IP address is blocked, you should see a Wordfence “Manual Block by Administrator” blocking page when you access the site.

You could also try clearing the cache on your browser or adding a cache-busting string to the end of the URL, such as /?no=cache, as you may be viewing a cached page.

Let me know how it goes.

Thanks,

Mark

Hi @thomasdpswe , thanks for reaching out.

These are files generated by  SimplePie or other caching plugins to speed up the site. This is very common for caching plugins and should be safe to ignore.

You should be able to select “Ignore” for the results in the Wordfence > Scan page so that it does not appear in subsequent scans under the “Results Found” tab. It will appear under the “Ignored Results” tab instead.

Thanks,

Mark.

Hi @joeyjosay , thank you for reaching out.?

To see the targeted file, please check Live Traffic at the same timestamp for additional information via Wordfence > Tools > Live Traffic > Show Advanced Filters > Filter > IP = (enter 209.38.200.253 in the IP field and click enter). The Live Traffic entries have more details about the block.

Another option is to check the raw access logs on the server for the IPs and hits around that time.

In most cases, a vulnerability in a specific plugin or version of WordPress isn’t tested in advance, and an attack will just hit a site, hoping something will work. Therefore, it’s best to stay up-to-date with WordPress & plugins and let Wordfence protect the site.

Increases in attacks and blocks can be alarming to see, however, in this case, there is no further action needed with Wordfence blocking the hits. 

Thanks,

Mark

Hi @satellitewp , thank you for reaching out.

Can you please confirm if you’ve entered a valid license or gone through the process to get a new license for each site after installing the plugin on the sites? You will need to enter a license after installation to complete the setup.

Usually, the yellow “Wordfence installation is incomplete” bar indicates that you haven’t installed a new or existing license or that the admin email address has been removed from the Wordfence settings.

If you’re seeing this error when a license key is installed, please click the “Resume Installation” button while keeping a Browser Console open to see if you can detect any JavaScript errors or files that fail to load. If you see any red text in the console, please take a screenshot and send it to me.

Thanks,

Mark.

Hi @perfectfit , thank you for reaching out.

With Wordfence activated, could you please request one of the users to attempt commenting on a post, then head over to Wordfence > Tools> Live Traffic (Expand All Results), if Wordfence is blocking this, there should be an entry that explains more about the traffic and why Wordfence took the actions it did. Please share a screenshot of any blocked entries and share it with me.

There’s also a possibility that this could be a false positive. Sometimes, plugins or themes may exhibit behaviour that resembles known attack patterns, resulting in the Wordfence Firewall blocking something that is not malicious. I suggest we try switching the Firewall to Learning mode, as it might help Wordfence allow comments on the post. 

From the Wordfence Dashboard, click on Manage WAF. Then, you will see  Basic Firewall Options > Web Application Firewall Status. Change the option to Learning Mode. Now proceed to post a comment. This will help Wordfence learn that these actions are normal and will allow them in the future. After you have finished the user registration, switch the WAF from Learning Mode back to Enabled and Protecting, then test to see that users can still comment.

https://www.wordfence.com/help/firewall/learning-mode/ is an amazing resource for learning more about the WAF and learning mode.

Thanks,

Mark.

Hi @farehamweb, thank you for reaching out.?

Could you please confirm if you are seeing any Wordfence-related error message on your end when you try to log in?

When logged in to wp-admin from your hosting account, head over to Wordfence > Tools> Live Traffic (Expand All Results) and share a screenshot of any live traffic entries of the failed login attempts. If there’s nothing there, the Traffic Logging Mode may need to be changed to ALL TRAFFIC temporarily, and then re-visit the site to log the attempt.

You could also try to rename the /wp-content/plugins/wordfence directory to wordfence.bak, then see whether you’re able to log in. This will help determine whether Wordfence is preventing you from signing in.

Additionally, please send a diagnostic report to wftest@wordfence. \com using the link at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

Thanks,

Mark.

You’re welcome, @voodoochill.

Are you always using the same device and browser when these issues occur or when the login is successful? If you’re using a different device or browser with different extensions, the low scores may be related to that.

Thanks,

Mark.

Hi @birken,

To resolve the issue before our next update, you can disable the “Scan for out-of-date, abandoned, and vulnerable plugins, themes, and WordPress versions” in the Wordfence > Scan > Manage Scan > General Options section. Remember to save your changes.

That will make it so the scan no longer checks for plugins that need updates. You can still check your Plugins area to confirm which plugins need to be updated and update those there. After updating Wordfence the next time, please re-enable that option and see if the issue persists.

Thanks,

Mark.

Hi @wpfanar, thanks for reaching out.

Wordfence runs the wordfence_syncAttackData script to ensure malware signatures and rules are up-to-date with the latest ones we have released and to update the Live Traffic page. Usually, 403 or 503 blocks by the firewall trigger the need to sync, so seeing syncAttackData triggered with one of these HTTP error codes is expected.

If you start seeing these requests excessively, your server’s IP address may be blocked. I recommend checking your Wordfence > Tools > Diagnostics page to see if you’re getting any errors under the Connectivity section> Connecting back to this site.

Let me know what you find.

Thanks,

Mark.

Hi @jasonmac_75 , thanks for reaching out.

I suspect this could be a caching or a plugin conflict related issue. Please clear cache on your browser and on your caching plugin (If applicable), then check for conflicts.

The best way to test for conflicts is to run Wordfence as your only enabled plugin and also revert to a default theme such as Twenty Twenty-Three. If you are able to log in, then re-enable your plugins and theme one by one until the issue recurs to help find the cause.

Additionally, please send us a diagnostic report to wftest@ wordfence.com?  You can find the link to do so at the top of the Wordfence > Tools > Diagnostics page. There, click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

Let me know how it goes.

Thanks,

Mark.

Hi @withabitofgrace, thanks for reaching out.

From the description above, it looks like you were locked out exceeding the maximum login failures set under Brute Force Protection settings. The block should expire after the amount of time set in Wordfence > All Options > Brute Force > Amount of time a user is locked out.

If you’re still locked out, you can try using the unlock email function provided on the block page for site administrators.

If the option above doesn’t work for you, you will need to disable Wordfence manually via FTP/cPanel.

• Open the FTP client and connect to your site via FTP/SFTP, depending on your setup.
• Once you successfully connect to your site via FTP/SFTP, navigate to the wp-content folder.
• Browse into the plugins folder.
• Find the wordfence folder 
• Right-click on the folder and rename it to wordfence_bak
• Once you have logged in to your WordPress admin you can name the folder back to wordfence again.
• Refresh your dashboard and you should be able to see Wordfence Active again. If not, go to the Plugins page and Activate it.

Let me know in case you still have issues.

Thanks,

Mark.

Hi @smwordpress , thanks for reaching out.

\x0A is a non-printable/hidden character.

I suspect this could be a false positive because the NatWest plugin is sold separately and is not listed on www.ads-software.com. Sometimes, plugins create files containing code that appears similar to malicious files but is not actually malicious.

To confirm, could you please provide the scan result information along with a copy of the file being flagged to [email protected] for our threat intelligence team to check out? Make sure any passwords, keys, or salts are censored prior to sending any files that might contain them.

You can choose to ignore this scan result so that it does not appear in subsequent scans under the “Results Found” tab. It will appear under the “Ignored Results  tab instead.

Thanks,

Mark.

Hi @voodoochill , thanks for reaching out.

Are you using reCAPTCHA on your login pages? Any “Verification Required” messages and emails are related to the message Google will send back when the user fails to be confirmed as human by reCAPTCHA checks.

We don’t receive inside information from Google about why a human may sometimes receive a low enough score to always require verification. The “reCAPTCHA human/bot threshold score” setting in Wordfence > Login Security > Settings is set to 0.5 by default. Setting that to 1.0 will cause the verification process to be more frequent as it would need to definitely be seen as a human to log in without verification. I recommend setting that to 0.5 and then using the “Run reCAPTCHA in test mode” option below that for a short time to see what sort of scores you see during your logins. You may need to reduce the threshold score slightly after looking at the test mode score.

That said, this could be an issue with plugin/theme conflicts too. Double-check the browser console for red errors that might hint at issues with the reCAPTCHA on this page. If our scripts don’t load properly due to an error earlier in the loading process, this is the most common cause of such behaviour. The best way to test is to run Wordfence as your only enabled plugin and also revert to a default theme such as Twenty Twenty-Three. If you are able to log in, then re-enable your plugins and theme one by one until it breaks again to help find the cause.

To allowlist an IP address, navigate to your Wordfence >Login Security >Settings >General and add your IP address to the “Allowlisted IP addresses that bypass 2FA and reCAPTCHA” text box. Remember to Save your settings. Another thing to note is users with 2FA enabled will automatically skip the CAPTCHA scoring and would not be required to verify via email.

Let me know how it goes.

Thanks,

Mark.

Hi @birken ,?

Unfortunately, we cannot give a  specific timeline for the release here on Forums. We are currently testing changes for the next release and will be getting that out as soon as possible.

As a temporary fix, you can disable the “Scan for out of date, abandoned, and vulnerable plugins, themes, and WordPress versions” in the Wordfence > Scan > Manage Scan section.

Thanks,

Mark.