Visitors are being blocked when they have not broken any rules. What can cause this?
What is the issue?
When Wordfence blocks a visitor, some cache plugins and external caches like Varnish can save a copy of the blocking message, and serve it to other visitors who should not be blocked.
Wordfence has various messages which appear when a visitor is blocked. These messages mention HTTP response code 503 or 403 Forbidden along with one of the following messages:
- Your access to this site was blocked by Wordfence, a security provider, who protects sites from malicious activity.
- A potentially unsafe operation has been detected in your request to this site.
- Your access to this site has been limited
- You are temporarily locked out
Recent versions of Wordfence include a "Generated by Wordfence" message at the bottom of the blocking page, which shows the date/time that the message was generated. If this date and time are in the past, it is very likely that the page has been cached incorrectly.
Why does this happen?
Your site's cache may not be configured to exclude pages with HTTP codes "403" and "503", and it may also be ignoring standard headers that are intended to control caching.
How can I prevent this?
1. Update Wordfence
If you are running an older version of Wordfence, update to the latest version. Version 6.3.5 added more methods of preventing caching for compatibility with caches that don't support the usual methods.
2. Clear your site's cache
After updating Wordfence, be sure to clear the site's cache. If you have disabled your caching plugin already, you may need to activate it, clear the cache, and then disable it again.
Some cache plugins also leave old .htaccess rules in place even when the caching plugin has been removed, so you may need to edit your .htaccess file manually.
3. Check that your cache properly handles these situations
Caching software shouldn't cache error pages, since they might not be the same for every visitor, especially when you need to block visitors based on their IPs, locations/countries, behavior, and URLs/queries. Wordfence uses the following methods which caches can use to decide when pages should not be cached.
- Wordfence blocking pages have an HTTP response code of 403 or 503.
- The following HTTP headers are set:
- Pragma: no-cache
- Cache-Control: no-cache, must-revalidate, private
- Expires: Sat, 26 Jul 1997 05:00:00 GMT (expiry dates in the past should always prevent caching)
- The following PHP constants supported by many caching plugins are set:
If your host uses Varnish caching outside of WordPress, or another similar cache, you may not be able to check all of these items. In some cases, you may need to contact the host if caching issues still occur after taking these steps.