Wordpress - New Post Error

Hi,

Sine a few weeks challange is fired on when i try to make a new post in wordpress. I have to whitelist my ip every day before posting new stuff on my website.

URI /wp-json/wp/v2/posts/201472?_locale=user

Type

waf

User Agent

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36

Can you check why is that happening and fix it in your rules if there is some error there.

THanks

This is probably triggered by the OWASP ruleset in the WAF. It is fairly common - if you don’t want to whitelist your IP, you can lower the sensitivity of it under ‘Managed Rules’:

image

https://support.cloudflare.com/hc/en-us/articles/115002581127-A-request-was-blocked-by-rule-981176-what-does-that-mean-

https://support.cloudflare.com/hc/en-us/articles/360002866492-Managing-the-OWASP-rule-set-in-the-WAF

Thank you.

Is it safe to lower sensitivity?

HI,

I’ve just checked it. Lowered sensitivity to low but i still got same error and have ot whitelist IP.

Ok, I do have a WordPress site that has exactly the same issue. I currently whitelist the IP that I am using, if you look at the challenge in your firewall events log, it should tell you exactly what rule(s) were triggered any why they got challenged, you can then look and see if you can just disable specific rules, rather than turning it completely off…

I am on mobile at the moment, but will test a bit when back at at a computer :slightly_smiling_face:

Don’t know if yours is the same, but for me, just saving a post without my IP whitelisted triggers the rule IDs below, from various groups in the OWASP ModSecurity Core Rule Set. Short of disabling them, I am not sure what other alternatives to whitelisting your IP you have, I can confirm that even with the sensitivity set to Low, it still triggers these rules. Maybe someone else has an idea?

OWASP Inbound Blocking
981176

OWASP Generic Attacks
950120
960024
981133

OWASP SQL Injection Attacks
950901
959070
981231
981243
981245
981246
981248
981257
981305
981307
981311
981317

OWASP XSS Attacks
973300
973332
981018

OWASP Slr Et Lfi Attacks
2000001

OWASP Slr Et RFI Attacks
2000003

OWASP Slr Et SQLi Attacks
2000004

OWASP Slr Et XSS Attacks
2000006

I have had a response from support on the issue:

If you’re encountering false positive due to the WAF, there are 3 actions that you could take here:

  1. Add the IP(s) doing the request to the IP Firewall as allowlisted, if the users connecting to your backend are always using the same IP
    This is the best solution as it does not affect the site security.
    How do I control IP access to my site?
  2. Disable the affected WAF rule(s)
    This will reduce the security of the site, but will stop the requests from getting blocked / challenged.
    How do I configure the WAF?
    It the rule blocking is 981176 , it means it was blocked by the OWASP rules. You need then to decrease the OWASP sensitivity: a request was blocked by rule 981176, what does that mean?
  3. Disable the Web Application Firewall from the requested endpoint (not recommended!)
    This will result in lower security, as the WAF will no longer be applicable on that location.
    This action is done by using Page Rules:
    Understanding and Configuring Cloudflare Page Rules (Page Rules Tutorial)

Hope this problem will be resolved in near future as whitelisting IP every day is not good solution.

I don’t think that anything will change with it, I think those 3 options are really the only ones.

It is not happening for every Wordpress site so there have to be some reason.

I’ve used Cloudflare+Wordpress for years without problems. It start happening only a few weeks ago.

I am not sure but it may start happening when i’ve changed from Appache to nginx. Do you also use nginx on your server?

Is this site on a different plan to your others? The free plan does not include WAF as far as I know, but the paid ones do.

I am using paid plan for years without this problem. I am more suspecting change to nginx as it act as some kind of proxy (not big expert in it but reverse proxy is term i’ve read many times).

It may confuse WAF with it.

I’m not sure, just noticed this on mine when it went from Free to a premium plan… @cloonan, @cs-cf?

I haven’t changed anything but it stopped happening to me. It now allow me to make new post without whitelisting my IP.

This topic was automatically closed after 30 days. New replies are no longer allowed.