Security Plugin on Wordpress doesn't save settings when CF is enabled

hi,

I noticed after a lot of troubleshooting that a particular security (brute force, security, etc) plugin on Wordpress does not save settings if i have CF enabled.

If you put it under development mode instead, it saves settings OK.

I already have a page rule NOT to cache the wp-admin with Cache Level: Bypass

What is it?

thanks
Gabrio

Hi,

May I ask which security plugin for WordPress are you using? :thinking:

Wonder if the security plugin scripts are in some kind of a conflict with Cloudflare’s Rocket Loader …

1 Like

hi,

It’s https://solidwp.com/security/, formerly ITSecurity

Didn’t knew they rebranded in the meantime. Seems like I didn’t used it for a long time already :thinking:

Furthermore, I’d temporary use the “Pause Cloudflare for this Site” option at the bottom right corner of the Cloudflare Dashboard → Overview tab.
Wait for few minutes.
Make sure your Website works over HTTPS as expected.

Therefrom, once you go back to the WP Admin dashboard, navigate to "Security > Settings > Configure. Scroll down to the IP Detection section and select “Manual” for PROXY DETECTION and then select CF-Connecting-IP for PROXY HEADER.
Then click on the Save button.

See here:

After that, I’d Unpause the Cloudflare and wait for few minutes.

Later on, I would navigate to the Cloudflare dashboard → Security tab → Events and load the las hour or less if available (30 minutes).

I’d try to change settings on the SolidWP security plugins.
Therefrom, if it happens multiple times the changes aren’t being saved, it could be that the SolidWP plugin requests are somehow challenged or blocked by some of the Cloudflare’s security & protection mode.

Once you find them, click on a particular one to find more details about it (user-agent, IP, HTTP version …). If yes, could you share some details which service was triggered that blocked you?

  • you should see your origin host/server IP out there and user-agent like WP-cron or WordPress/version

Just in case if you encouter some issues and/or errors, since it’s related to the WordPress, I’d suggest you to allowlist your origin host / server / hosting IP address by navigating to the Security → WAF → Tools → IP Access Rules with the action “allow” for your Website and try again.

It knows to happen due to the WordPress using HTTP/1.0 and empty user-agent, therefore while executing WP-Cron or some other related JSON/REST API request via plugin which triggers the WAF rules (as it should normally).

Otherwise, you could try to disable the Rocket Loader and/or Auto Minify (HTML, CSS, JS) which could somehow have an impact, if so, but I doubt (should be rather some cache).

Rather, could be Ajax then and some Bot Fight Mode or Browser Integrity Check or JS minimization.

1 Like

Thanks for all the ideas, here’s what i tested today:

CF-Proxy detection change - no change

Rocket loader OFF - no change

Auto Minify - all OFF + rocket OFF - no change

I went to the security dashboard of CF for last 30 minutes and there’s nothing, this is while poking with changes so should’ve triggered something if there was otherwise, right?

Something interesting:

If i do change a setting, click save, then refresh (with CF on) then the setting doesn’t show it’s saved. BUT, if i then disable CF, go back to the admin and check the settings (without changing anything), i can see the setting was changed with my selection i did earlier in the first place!

It’s as-if changes are occurring but they’re not visualised on the dashboard, i think there’s some caching from the CF side that’s now showing on the WP dashboard, but effectively, i think settings are saved anyway, it’s just very odd.

Anyhow, if everything works, i can just do my settings with CF disabled, (if i want to change anything at any time), then put it back on and that should be it.

It’s not as it should be, but at least works!

Unless you have other ideas?

Cheers!
Gabrio

Thank you for feedback Gabrio :hugs:

True, yes.

Sounds like either a JSON issue, maybe the HTTP headers not alligned ( GET, POST, PUT, PATCH, DELETE, and OPTIONS) via the theme?; or some other settings?.

Or the cache :thinking:

Kindly, may I ask you to check out what option have you got selected by navigating to the Cloudflare dashboard → Caching → Configuration → find section “Browser Cache TTL” and make sure the selected option from the dropdown menu is “Respect Existing Headers”.

Furthermore, from the same menu, click on the blue button saying “Purge Everything” to flush the cache at Cloudflare Edge, just in case.

Wait for a minute or two.

Refresh a page in your Web browser

Otherwise, if your website does work over HTTPS without Cloudflare (Pausing Cloudflare for example), therefrom checking if HTTPS is okay and SSL is valid, if yes, then unpause and making sure it’s Full (Strict) SSL at the SSL/TLS tab of Cloudflare dashboard.
Nevertheless, assuming the permalinks are also HTTPS.

Wonder if you did you encountered some error in the Developer Tools (F12) → Console of your Web browser while trying to change the settings or save them? :thinking:

I forgot to ask, are you using a free or a paid version of the Solid Security? :thinking:
We could also try to find or ask a question on the WP repo of this plugin, if so:

It’s weekend, I’ll give it a shoot and see if I could reproduce this on some of my WordPress instances running behind Cloudflare too.

1 Like

I was going to answer you all the steps you asked me again, but then i had a light bulb moment i’ve found the issue :sunglasses:

So i have a 2nd site and it’s also on CF and i just checked and compared all settings with mine, a part from a few different ones, this is what made the difference:

Rules → Page Rules:

https://mydomain.com/
Cache Level: Cache Everything, Edge Cache TTL: a month

My 2nd site didn’t have any page rules, when i created all the rules in the same way my other site had it, it also stopped saving settings on Solid Security. Removed the last page rule (Edge Cache TTL a month) and voilà it works.

However, generally speaking I like that rule as it forces the cache to stay the same, is that right? My site doesn’t change that often so it’s ok, i don’t mind so it’s always super fast.

My page rules are, in this order.

https://*domain.com/*
Cache Level: Cache Everything, Edge Cache TTL: a month

https://*domain.com/wp-admin*
Cache Level: Bypass

https://*domain.com/*preview=true*
Cache Level: Bypass

In light of this finding, any thoughts?

Oh and i am on the Free plan only.

thanks!

This :point_up_2:

Kindly, reverse bottom-top since the one from above has priority and executed.

From your order, the Bypass rules never execute because Cache Everything is above them.

Page rules are prioritized in descending order in the Cloudflare dashboard, with the highest priority rule at the top

https://*domain.com/*preview=true*
Cache Level: Bypass
https://*domain.com/wp-admin*
Cache Level: Bypass
https://*domain.com/*
Cache Level: Cache Everything, Edge Cache TTL: a month

There is a feature Bypass Cache by Cookie, which is available on the Business plan at least.

However, in the meantime new features were introduced and it is possible to achieve this either via Cloudflare Worker:

Or even via the new Cache Rules:

1 Like

Argh, this is such a challenge, still not working, i just reversed the order of the rules like you said, and also put first the wp-admin one - still not saving, as long as the Cache Everything is there, that’s like a nuclear option i guess :blush:

After you chagned the order of the Page Rules, did you used “Purge Everything” from the Cache → Configuration to flush the cache at Cloudflare Edge? :thinking:

Logged out from WP admin, cleared web browser cache, login back …

Yes of course, i’ve just tested 3 times, on and off and moving rules up and down.

If i do delete the Cache everything rule, it works immediately as it should, it shows settings.

The thing is… settings ARE saved, in fact when you purge cache and reload, they appear (the latest settings applied). But they dont reflect on the dashboard.

If you go: (all 3 rules on), change settings → save - > doesn’t reflect

go to CF, empty cache

go back to WP admin and check settings, you’ll see the “fresh” settings that earlier didn’t display.

I just tried with Chrome, fresh window 0 cookies, otherwise i am running on Brave - no difference.

Ough, then there something odd here in between :innocent:

Wonder if they’re saved to the databse, or rather to some file and loaded from it (like txt, json …).

And hopefully there isn’t some origin cache (from the web hosting provider) enrolled in between, which would keep the state “as-is” for some time, if so.

1 Like

I don’t know, oh well, thanks for all troubleshootin’ man!

1 Like

Mind asking, since you’ve had Cache Everything, was there some particular reason to use it? :thinking:

I mean, by default, Cloudflare caches CSS; JS; images … as per documentation.

Did you wanted to have webpage cached, for example WordPress posts and pages as well? :thinking: Since HTML content has got cf-cache-status: DYNAMIC.

Despite I’ve linked the Bypass Cache on Cookie variants in above replies.

Just being curious.

Well, I saw this config on an article and thought it’s the best one for the use intended.

Yes, i do want to have every webpage cached, posts and pages yes.

Don’t want to have a too complicated setup either, CF is insanely complicated now, so many options, etc.

but there is something more annoying going on, i am challenged again today on login by the Captcha Loop when trying to login to my own site.

You wait 2 minutes and try again and it’s gone - wonder if it’s due to those settings not saving.

If you disable Cloudflare it works immediately.

Do you know where to disable that challenge thing? Even after you complete the captcha images, it still loops and gives me captcha again!

arghhhh

actually solved, lowered the security setting 1 step and now works OK

I’d prefer some origin HTML cache (WP Super Cache or W3 Total Cache with disk cache for HTML) and leave Cloudflare “as-is” since it’ll cache the images and other stuff.

As if you have Cache Everything, it’ll cache the logged-in and non-loggedin version, might end-up for a normal visitor to see the “admin bar” at the top while it shouldn’ see it at all and vice-versa issues.

Which is why I asked.

Otherwise, Cloudflare APO for WordPress does all the job it’s needed :wink:

Your IP could be the issue, or your Security Settings are set to high?
A rule of a thumb for my WordPress sites is to keep it at Medium.

Should be Security → Settings:

I don’t really know what to say, i just tested now in the morning and again there’s the loop with the veryfing you’re a robot, even after lowering that to LOW.

Yes, my fiber connection assigns a new IP every day, it’s the ISP, can’t change that.

captcha does not work, again.

starting to get really annoyed with this