WPCloudDeploy Documentation

7G Firewall

The “7-G” firewall is actually just a set of web-server rules (published by Perishable Press) to filter out some well-known bad traffic before the requests hits the WordPress site.  The idea with this type of “firewall” is that traffic requesting PHP/WordPress resources is expensive.  It’s much cheaper and faster to weed them out at the webserver level before it gets that far.

The “7-G” firewall is an upgrade to the 6-G Firewall.

One of the draw-backs of this type of firewall is that certain activities that are legitimate will get blocked.  So we’ve provided a way to enable or disable portions of the rules.

To enable the entire rule set:

  • Go to WPCloudDeployAll Apps (or WPCloudDeployWordPress Sites)
  • Click on the site for which this action will apply
  • Click on the 7G WAF tab
  • Toggle the Enable or Disable ALL 7G Rules switch
  • Click the OK option on the confirmation popup

After a while the screen will refresh – if the operation is successful.  If the operation fails, you’ll get a popup message.

You can see a full log of the operation under the SSH LOG screen.

After the full rule set is enabled, you can disable portions of the rules using the rest of the toggle buttons on the screen.

The video below shows the 6G Firewall process – just replace the TAB shown with the 7G WAF Tab.

Notes & Issues

Easy Digital Downloads

Some “add-to-cart” URLS in Easy Digital Downloads will fail with the 6G Firewall enabled.  In particular, direct urls with square brackets embedded in them.  These URLs are usual constructed when you have products with multiple price options and you want to give the user a direct link to one of the price options.  They look something like this:

https://simple-press.com/checkout?edd_action=add_to_cart&download_id=81486&edd_options[price_id]=1

You can see the square brackets at the end of the URL.

There are two ways to work around this:

  1. Turn off the REQUEST STRING rules portion of the 6G firewall.  You can do this under the 6G WAF tab.
  2. If you would like to keep most of the REQUEST STRING rules you can edit the /etc/nginx/common/6g.conf file to make the following changes:

Search for this in the Request Strings section of the file.

"~*(~|`|<|>|:|;|\\|\s|\{|\}|\[|\]|\|)" 7;

Replace it with this:

"~*(~|`|<|>|:|;|\\|\s|\{|\}|\|)" 7;

Then, restart the nginx engine:

service nginx restart

Colons In The Request Strings

Sometimes, request strings might have colons in them.  This will be blocked by default since it is an uncommon scenario.  Here’s an example legitimate request string that will be blocked:

https://simple-press.com/?edd_action=get_version&license=4xasebadfasreasdfljerr&version=2.1.0&item_id=3916&author=Simple:Press

Notice at the end of the string the author is “simple:press” with a colon?  This means that the entire request will be blocked, even though, in this case, it is a legitimate request.

There are two ways to work around this:

  1. Turn off the REQUEST STRING rules portion of the 6G firewall.  You can do this under the 6G WAF tab.
  2. If you would like to keep most of the REQUEST STRING rules you can edit the /etc/nginx/common/6g.conf file to make the following changes:

Search for this in the Request Strings section of the file.

"~*(~|`|<|>|:|;|\\|\s|\{|\}|\[|\]|\|)" 7;

Replace it with this:

"~*(~|`|<|>|;|\\|\s|\{|\}|\[|\]|\|)" 7;

Then, restart the nginx engine:

service nginx restart

You will notice that the new specification string removes the “:” from the invalid characters list.

PHPMYAdmin

PHPMyAdmin will be blocked by the 7G Firewall.  If it is turned on for a site you should turn off both the “QUERY STRING” and “REQUEST STRING” rules section before launching it.  After you are finished you can turn those sections of the rules back on.

 

 

Share: