Do you have any idea which application is doing that? It tries to modify the value of wp_user_roles which is one of the most important in the wp_options table.
You can whitelist localhost to let it go: “NinjaFirewall > Firewall Policies > Intermediate Policies > IP > Scan traffic coming from localhost and private IP address spaces”, select “No” and save the new changes.
Not sure what app, if any is doing that… My host – who looked into it, suggested it may be page caching – and to lower the timeout, but that didn’t make a difference. The next test is to disable caching temporarily.
Note that no changes were made to the WP install – and that this “event” simply started after the latest NinjaFirewall updates…
I’ll try your whitelist suggestion. However, does that mean it will no longer “block?”
Yes, it will no longer block it, but that will apply to your request coming from localhost, not from a public IP.
However, before doing that I recommend to try to find out which plugin or theme is doing that: you can scan your wp-content/themes/ and wp-content/plugins/ folders and search for wp_user_roles.
That new protection was added to 3.8 after we noticed some hackers were trying to modify the wp_user_roles data by exploiting vulnerabilities found in two popular plugins lately. They try to give subscribers all admin capabilities such as manage_options etc.
When you say “scan” what are you suggesting? Just looking at the database tables? A little hint would help.
Also – can you say which plugins those were so I can check to see if I have them installed?
BTW, appreciate your quick responses! Very rare these days!
Thanks – luckily we’re not using those two plugins. But what is a quick way to scan the contents of php files other than manually loading them into an editor and using a text search?
I used the String Locator plugin to search all WordPress files.
Oddly enough – the only one that had wp_user_roles was the Ninja Firewall plugin! (in wp-content/plugins/ninjafirewall/lib/utils.php)
The only other instance was in the WordPress Core (wp-includes/class-wp-roles.php)
One last question before I get some sleep. I noticed this setting in the Intermediate Policies – about “block localhost IP for GET/POST requests”
Is this maybe why we’re having issues?
Should I NOT block localhost IP?
“block localhost IP for GET/POST requests” is not your issue. It is used to block a GET or POST payload that includes the localhost IP (e.g., ?foo=127.0.0.1).
wp-content/plugins/ninjafirewall/lib/utils.php and wp-includes/class-wp-roles.php are the only 2 files that should contain the wp_user_roles string.
I guess the original question remains – what do you think is triggering this result from the firewall?
CRITICAL - 127.0.0.1 POST /wp-admin/admin-ajax.php - Blocked attempt to modify WordPress settings - [option: wp_user_roles, value: Array]
Is this truly a “Critical” thing to be concerned with – or should I just shut off mentions from localhost sources? I read in the plugin that you suggested this could be a SQL injection type attack?
It is not a SQLi attack, it’s a call to the WordPress API via admin-ajax.php. You need to find out where does it come from. It’s from the localhost, maybe it’s a cronjob?
You can catch the request and write the POST payload to a file in order to see what is being sent:
1. Open the wp-admin/admin-ajax.php script.
2. Right before the define( 'DOING_AJAX', true ); line, add this code:
if ( $_SERVER['REMOTE_ADDR'] == '127.0.0.1' && $_SERVER['REQUEST_METHOD'] == 'POST' ) {
file_put_contents( __DIR__ .'/ajax.log', print_r( $_POST, true ) );
}
3. Wait for the next attempt, and check the wp-admin/ajax.log log.
Delete this code when you don’t need it anymore.
Thanks for the file mod. I was able to capture what was going on… and it seems harmless – but I’ll detail them here. Maybe you can help determine why this is being logged as a change to user roles? Doesn’t appear to be?
These three log entries only happened when posts with EMBEDDED Google Maps… does Google Maps trigger something?
Array
(
[action] => entry_views
[_ajax_nonce] => bbc0d79a62
[post_id] => 4701
)
and
Array
(
[data] => Array
(
[wp-refresh-post-lock] => Array
(
[post_id] => 4701
[lock] => 1545516072:1
)
)
[interval] => 15
[_nonce] => 4d403a9651
[action] => heartbeat
[screen_id] => post
[has_focus] => false
)
And
Array
(
[action] => entry_views
[_ajax_nonce] => bbc0d79a62
[post_id] => 5126
)
And this one seems to be just an image optimizing plugin:
Array
(
[action] => shortpixel_image_processing
)
Any ideas?
None of them are/seem related to your issue. Also, they all connect from the same localhost IP? Do you have a reverse proxy which would explain why REMOTE_ADDR is set to 127.0.0.1? Go to NinjaFirewall “Overview” page and check if you have a warning about that. If you do, you’ll need to use the .htninja file to forward the correct IP.
