wfasa on "[Plugin: Wordfence Security] Firewall Whitelisted an Exploit"

I thought it was supposed to block exploits??

Here is the URL it whitelisted while in training mode: /wp-content/themes/mTheme-Unus/css/css.p­hp PARAM: request.queryString[files] IP:64.27.17.140

Can you please help me remove it?

https://wordpress.org/plugins/wordfence/

Hello micvideo,
are you using the latest version of Wordfence? We recently added a feature that will block non existing pages from getting whitelisted. We also recently added a bug fix for deleting whitelisted entries that contain strange characters like the one in your example.

I updated the plugin, wiped out the whitelist and put it back in training mode. After it was over the firewall whitelisted another hackers ip and all the new links they tried. So for now, I dont have confidence in this feature and I disabled it completely.

Hello again,
how did you know it was a hacker? If you email examples of the rules that should not have been whitelisted to [email protected] I can have a look.

I emailed you this moing. I can tell its a hacker because the links that were whitelisted were related to plugins I did not have. From the patte it looked like the attacker was checking for exploits from a list of plugins. I also looked up the IPs and they were all flagged from various IP reporting sites.

Hello micvideo,
Thanks. I looked at your examples. It's not supposed to be possible for the firewall to whitelist URLs that retu a 404. If you try to browse to one of those URLs that do not exist, do you get a 404 response?

Yes, they go to 'page not found' pages.

I checked in Wordfence Live Traffic and its marking the links I just tested as 'non-existent page' .

micvideo, I will take note of your issue and see if I can find an explanation but for now, could you try this?

1. Remove all whitelisted items from the firewall.
2. Set the Firewall to "Enabled and protecting".
3. Now try to use your site normally.

If you are logged in as admin while browsing your site you will get notified if the Firewall is blocking anything. You will then get an option to "whitelist" that particular action.

Going about it this way and not using "Leaing mode" at all should give you 100% control over what the Firewall is whitelisting.