Firewall Learning Mode

Learning Mode allows the Web Application Firewall to be adjusted to your site.

The Wordfence Web Application Firewall blocks requests (visits) to your site that match specific patterns. For example, if a visitor makes a request with a query string that includes a pattern such as “../../” Wordfence detects it as a Directory Traversal attack and will block that request. Sometimes WordPress plugins and themes will exhibit behavior that resembles known attack patterns, which may then result in the firewall blocking something that is not actually malicious. This is called a false positive.

To prevent false positives from causing problems with the functionality of your site, the Wordfence Firewall has a feature called “Learning Mode.” When Learning Mode is active, Wordfence will whitelist requests that resemble attack patterns. Had the “Web Application Firewall Status” been “Enabled and Protecting,” the requests would instead have been blocked. When a request is whitelisted it is considered safe and will not be blocked, unless it is removed from the whitelist.

It’s important to understand that your site is not protected from certain complex attacks while it is in Learning Mode.

When Learning Mode is active, some requests that look suspicious are whitelisted. Other parts of the firewall remain fully active, including Brute Force Protection, Login Security, Blocking features, and the Real-Time IP Blacklist (premium). If you are installing Wordfence because your site was recently hacked or because your site is currently under attack, you should not use Learning Mode.

How to Use Learning Mode

When Wordfence is first installed, Learning Mode will be active for seven days, but you can choose a different time period on the Firewall Options page, if desired.

When Learning Mode is active, you should visit your site and perform everyday tasks as you usually would. Try to use all of the features of your site. The more features you use during this period, the less likely you are to run in to unwanted blocks of valid actions in the future.

For example, you may want to try each of these:

  • Write and publish posts and pages
  • Change theme styles
  • Change plugin settings
  • Add or remove widgets
  • Write or moderate comments
  • Use all of your other plugins’ features

If you have used all of the features of the site while in Learning Mode, you can go to the Firewall Options page on the Wordfence menu and change the Firewall Status to “Enabled and Protecting,” if you choose. If you are not certain that you have used all of the features, you can let Learning Mode run for the full seven days.

Understanding the Whitelist

The Whitelist shows the location of each whitelisted item, and which related parameters are whitelisted. This means those parameters could have been blocked, if they were not found during Learning Mode.

You may recognize most whitelisted plugin or theme files and parameters by the URL or parameters listed. The IP address of the visitor who triggered whitelisting is also listed, so you can see whether it was your own action or another visitor.

If you find a large number of whitelisted items, more than 20, for example, it could mean that one of your plugins displays a form on multiple pages on the site, like a custom comments plugin, which could be blocked when it should be allowed. Otherwise, it may mean that there was an attempted attack on your site during Learning Mode, and you may need to remove some of the whitelisted items.

What to Do If a Page Is Blocked After Learning Mode Is Complete

If you are logged in as an admin, and a request was blocked because of a potentially dangerous action, you will see a button below the blocking message that you can use to add that action to the whitelist. Only use this button if you are certain that you are doing something safe. If someone has sent you a link to your own site that triggers this message, or they ask you to copy and paste something and you see this message as a result, it is very likely to be unsafe! If you’re not sure it’s safe, do not whitelist it.

If you were not logged in when the problem occurred, or if a regular visitor reports the problem, you can find the blocked visit on the Live Traffic view within the Wordfence plugin. In the box that says “Filter Traffic,” choose “Blocked by Firewall” to see the blocked request. If you know that the action was something safe (especially if it was your own visit), you can click the “Whitelist Param from Firewall” button. If you are not sure if the visitor was doing something safe, you should ask for more details about what they were doing at the time the message appeared, and see if you can get the same message yourself.

When installing or updating a new plugin or theme, if multiple actions are blocked or some features do not work, you can turn on Learning Mode again, at the top of the Firewall Options page. When you turn on Learning Mode manually, it does not expire unless you choose a date when it should be automatically enabled. After trying the page or action that was being blocked, any necessary parameters should be whitelisted automatically. You can then review the whitelist and set the “Web Application Firewall Status” back to “Enabled and Protecting.” It’s important to remember to reenable it, or the firewall will continue to whitelist potentially unsafe requests in Learning Mode.