I am trying to post a comment with a picture attachment to my own WordPress site, logged in as admin.
I am getting and error page “Sorry, you have been blocked”.
In the Firewall Event Log, it says that rule “REQUEST_BODY” has been triggered. the triggered rule id is WP0015.
This used to work before.
2 Likes
Same here except I don’t have a rule id
1 Like
I get exactly the same error when trying to upload a picture in a comment (as part of a reviews plugin). Rule ID is WP0015.
I’ve searched the internet for hours, but there doesn’t seem to be a solution for this dreaded “Sorry, you have been blocked” issue.
It’s really frustrating.
1 Like
Hi @frank5, @julien3 and @stefan.rohlfing,
Sorry you didn’t get a reply before now.
The rule ID WP0015 if from the Cloudflare Managed Ruleset, WordPress group. It is described as
Wordpress - XSS - CVE:CVE-2015-3440
I would think that you must all have
enabled. You can find that specific rule on page 3 of the rules in that group
I guess you have two options really, you could whitelist your IP address under Firewall > Tools > IP Access Rules so you are not blocked by the WAF. Alternatively, you could disable that specific rule within the WordPress group, however, that will disable it for everyone.
4 Likes
I don’t have that firewall rule. It’s not listed under Managed rules, and I don’t have anything defined under "Firewall Rules.
Whitelisting my IP address wouldn’t solve the problem, because I want all users of my website to be able to upload attachments with their comments.
1 Like
Are you able to post a screenshot of the managed rules page in your Cloudflare dashboard?
Cal you also let us know which plan you are on? Free/Pro/Business/Enterprise
1 Like
Hi @domjh !
Thanks for helping us out.
On my side I’m on the Free plan, and this is a screenshot of the managed rules page:
1 Like
Also whitelisting IPs won’t work because I’d like users to be able to upload images with their comments (I assume the other people who have the same problem want this as well). I’d be happy to disable this rule if I got the option, but now the only thing I was able to do is disable Cloudflare on my site.
1 Like
My situation is the same as @julien3
1 Like
That is odd, as on the free plan, you don’t usually have those rules enabled. Are you able to post a screenshot of the entry in the firewall events log that shows it being triggered? You can click on the event to expand details which would be useful to have.
Do you happen to have Cloudflare’s WordPress plugin installed, at all. I wouldn’t expect this to effect it as again, it should only enable these rules on paid plans. However, just a thought given that they don’t show up in your dashboard…
1 Like
Which plugin is everybody using that’s doing this? I’d like to give it a try on my test site and see if I can replicate the problem.
2 Likes
I have exactly the same issue since august, before no problems.
Also on the free plan. I tried everything to solve this with page rules, firewall rules but this all seems not to work. Even when you disable WAF on the page.
No plugin used for this. I figured out that it is with pictures larger then 100kb. Below or without picture you don’t get the error.
1 Like
Thanks for the info and the screenshot, @pieterjan.
That is really strange. The fact that you are on the free plan, but have WAF rules firing is the main puzzling thing for me, especially with no plugins used. The Rule group being ‘Unavailable’ is also a bit odd, as I would expect that to show as the Managed Rules - WordPress group…
I will see if I can replicate this on a test site and what I can work out…
I must be overlooking something. AFAIK, standard WordPress doesn’t let comment writers add attachments or images.
I wonder if you click Exclude, what exactly does it disable? That specific rule applying to that specific URL?
1 Like
If you click exclude it is just removing the specific rule id from the list in Cloudflare but doesn’t do anything for the rest…
Wordpress doesn’t have this by default indeed but you can create a function for this what can upload images with the comment. But for example the plugin below does the same:
2 Likes
I have managed to reproduce this on a test site and will keep you updated…
Looking further into this.
Update:
I am currently in discussion with support about this and will keep this thread updated.
4 Likes
Though free plan does not grant access to the WAF app, there seems to be a couple of rules that apply universally regardless of plan level.
2 Likes
Thank you, @cbrandt - missed that! I guess the question now is how to disable that if you don’t want it!
2 Likes
@domjh, you’re welcome!
That plugin is not available for download. WordPress.org says it’s closed
This plugin has been closed as of July 25, 2019 and is not available for download. This closure is temporary, pending a full review.
That normally means the plugin has a security issue, and they are probably waiting for the plugin authors to patch it so it becomes safe. This is normally done within a couple weeks; the plugin was suspended over a month ago.
An alternative to disabling the WAF rule would be rewriting the function/plugin code in light of the vulnerability that’s being protected against. This way you’d prevent the WAF rule from being triggered in the first place, as opposed to do away with the protection itself.
1 Like
I tested this with a different plugin that is currently supported and had the same issue.
Installed this one on my test site:
1 Like