Thanks for reaching out.
Is your FIREWALL optimized like we answered in that FORUM topic?
OPTIMIZING the FIREWALL allows it to load BEFORE WordPress does, which means that the blocking WOULD work.
Mia
Thread Starter
dimal
(@dimalifragis)
Hello. Yes Optimized (auto prepended).
Thread Starter
dimal
(@dimalifragis)
Also tested with Litespeed cache (uses mod_rewrite mode), WP SUpercache (uses php mode in Easy Default mode), Fastest Cache (tested with both php and mod_rewrite mode). Same results. Tried also PHP 7.4.x and PHP 8.0.x.
I also installed a fresh WP 6.2 on a staging site, with no plugins or other things, and the issue is also there.
This seems to be the case for me, too. My Wordfence is using “extended protection”. WP Super Cache is in “expert” mode. In the htaccess file, WF’s block is first, then WPSC’s, and finally WP’s.
I tested by turning on “all traffic” and including my (logged-in user) own for Wordfence’s live traffic. Then I went to another browser and went back and forth between two stories that I knew were cached. Neither of them was logged by WF, only as referrers to the Ajax-loaded feed in the sidebar.
Then I deleted the WPSC cache and loaded the stories. They were now logged by Wordfence. Then I went back and forth among them again (now that cached copies would have been created), and they were not logged.
I suppose the fact that the ajax-loaded feed in the sidebar is still logged on cached pages means that in my setup Wordfence would still catch bad actors. Also, each cached file is set to persist only 1 hour, so there’s still a good chance that bad actors would get a noncached file.
Thread Starter
dimal
(@dimalifragis)
@ericr23 Can you try to use WPSC in EASY mode (php) and clean your .htaccess from WPSC stuff?
Then ENABLE Late INIT in WPSC, clear caches and test again?
That appears to work! Each reloading of a post is logged.
I tested it in WPSC “expert” mode, too, and it did not work.
Thread Starter
dimal
(@dimalifragis)
yeap, appears to work for me also BUT still Rate Limiting doesn’t.
This is POOR TESTING and also a huge risk for people that use Wordfence and ANY caching plugin. People think they are protected but they are NOT.
And that from a 4million installations plugin π
Thread Starter
dimal
(@dimalifragis)
@ericr23 Use only Caching plugins that use PHP mode and NOT mod_rewrite. mod_rewrite mode happens earlier than WordPress (in .htaccess) so the cache is already served to the visitors.
Use WP Super cache in easy mode, Comet Cache or the great fork Rapid Cache or Fastest Cache. Fastest cache needs some directive in wp-config to switch to php mode, since as it is (default) uses mod_rewrite.
Also “late init” in WP Super Cache (“Display cached files after WordPress has loaded”). (I tested easy/simple mode without late init.)
Thread Starter
dimal
(@dimalifragis)
I’m curious if we get a clear reply from their support here. A CLEAR reply.
