How to interpret Firewall entries in the WP Activity Log and whitelist parameters (examples)

Shield's Firewall Zone is designed to analyse data sent to your WordPress website and block any requests that appear to be malicious. It also tests GET and POST.

There are 5 Request Firewall blocking options that determine what data is checked on each page request. Depending on certain incompatibilities with other plugins, you may need to disable certain options to ensure maximum compatibility, or to whitelist parameters.

The options are as follows:

  • Directory Traversals - Blocks directory traversal paths in application parameters (e.g. ../, ../../etc/passwd, etc).
  • SQL Queries - Blocks sql in application parameters (e.g. union select, concat(, /**/, ..), etc).
  • Field Truncation - Blocks field truncation attacks in application parameters.
  • PHP Code - Blocks any data that appears to try and include PHP files. It will probably block saving within the Plugin/Theme file editors.

  • Aggressive Scan - Aggressively blocks data. It employs a set of aggressive rules to detect and block malicious data submitted to your site.

    Important: Be careful with this option. It may cause an increase in false-positive firewall blocks.

Read more about this here.

When Firewall blocks something on your site, the first thing to do is to go to your WP Activity Log and look for Firewall entries.

Once you find the Firewall entries (what's triggering the block), use the Whitelist Parameters field to whitelist parameters that's getting blocked.

How to interpret Firewall entry in the WP Activity Log and whitelist parameters

Here're a few examples of the Firewall entries and what should be whitelisted (please also see the screenshot at the end of the page):

Example #1

Request blocked by firewall rule: Aggressive Scan. Rule pattern detected: "#(`|<|>|[|]|{|}|?)#". The offending request parameter was "<?xml_version" with a value of "abcdxxxxxxxxxxx".

The parameter to whitelist is "<?xml_version". So the rule would be:

*, <?xml_version

Alternatively, you can turn off the "Aggressive Scan" option as that's the firewall rule being triggered.

Example #2

Request blocked by firewall rule: Aggressive Scan. Rule pattern detected: "https://testsite.com/". The offending request parameter was "redirect" with a value of "abcdxxxxxxxx".

The parameter to whitelist is "redirect". So the rule would be:

*, redirect

Alternatively, you can turn off the "Aggressive Scan" option as that's the firewall rule being triggered.

Example #3

Request blocked by firewall rule: Directory Traversals. Rule pattern detected: "#etc/passwd#i". The offending request parameter was "test-beta-19x" with a value of "../../../../etc/passwd".

The parameter to whitelist is "test-beta-19x". So the rule would be:

*, test-beta-19x

Alternatively, you can turn off the "Directory Traversals" option as that's the firewall rule being triggered.

Example #4

Request blocked by firewall rule: PHP Code. Rule pattern detected: "abcdxxx". The offending request parameter was "page" with a value of "abcdxxxxxxxx".

Parameter to whitelist is: 

*, page

Alternatively, you can turn off the "PHP Code" option as that's the firewall rule being triggered.

Example #5

Request blocked by firewall rule: PHP Code. Rule pattern detected: "abcdxxx". The offending request parameter was "test-field-input-url_7" with a value of "abcdxxxxxxxx".

*, test-field-input-url_7

... as that's the name of the parameter holding the value that's triggering the block.

Example #6

Request blocked by firewall rule: Aggressive Scan. Rule pattern detected: "abcdxxx". The offending request parameter was "customized" with a value of "{"old_sidebars_widgets_data":{"wp_inactive_widgets":[],"sidebar-1":["search-2","recent-posts-2","recent-comments-2","archives-2","categories-2","meta-2"],"sidebar-2":[],"sidebar-3":[]}}".

Parameter to whitelist is:

*, customized

How to use asterisk

The asterisk refers to the page name, so you can say "all pages" using asterisk "*", or specify a page: plugins.php, parameter_name.

For example, you want to whitelist the following parameters for all pages:

  • s
  • post_type
  • shop_view
  • add_to_wishlist

To achieve this, you use the following rule as each page (or asterisk) can only appear once:

*, s, post_type, shop_view, add_to_wishlist

This will whitelist those 4 parameters for all pages.

Here is additional example of the whitelisted parameter:

Another example is if you want to do this for 1 particular page, e.g.:

posts.php, s, post_type, shop_view, add_to_wishlist