Web Application Firewall - How to use Learning Mode
What is Learning Mode?
Learning Mode allows the Web Application Firewall to be adjusted to your site. Some plugins or themes could be blocked if they send data that appears similar to certain attacks. When Learning Mode is active, Wordfence will “whitelist” actions that would normally be blocked, so that they will not be blocked in the future.
How to use Learning Mode
When Wordfence is installed, Learning Mode will be active for 7 days, though you can choose a different time period on the Firewall page, if desired.
When Learning Mode is active, you should:
- Visit your site and perform everydays tasks as you usually would
- Try to use all of the features of your site:
- Write and publish posts
- Change theme styles
- Change plugin settings
- Add or remove widgets
- Write or moderate comments
- Use each plugin’s features to be sure valid actions are not blocked
If you have used all of the features of the site while in Learning Mode, you can go to the Firewall page on the Wordfence menu and change the Firewall Status to “Enabled and Protecting,” if you choose. If you are not certain that you have used all of the features, you can let Learning Mode run for the full 7 days.
Understanding the whitelist
The “Whitelisted URLs” list at the bottom of the Firewall page shows the location of each whitelisted item, and which parameters are whitelisted. This means those parameters could have been blocked, if they were not found during Learning Mode.
You may be able to recognize most whitelisted plugin or theme files and parameters by the URL or parameters listed. The IP address of the visitor who triggered whitelisting is also listed, so you can see whether it was your own action or another visitor.
If you find a large number of whitelisted items, more than 20 for example, it could mean that one of your plugins displays a form on multiple pages on the site, like a custom comments plugin, which could be blocked when it should be allowed. Otherwise, it may mean that there was an attempted attack on your site during Learning Mode, and you may need to remove some of the whitelisted items. If you are not sure what to do, we can help. Please contact us on the support forum if you are a free customer or open a ticket if you are a premium user.
What to do if a page is blocked after Learning Mode is complete
If you are logged in as an admin and an action was blocked because of a potentially dangerous action, there is a button you can use to add that action to the whitelist, below the blocking message. Only use this button if you are certain that you are doing something safe. If someone has sent you a link to your own site that triggers this message, or something they ask you to copy and paste, and you see this message, it is very likely to be unsafe! In that case, do not whitelist it.
If you are not logged in, or if a regular visitor reports the problem, you can find the blocked visit on the Live Traffic view within the Wordfence plugin. In the box that says “Filter Traffic,” choose “Blocked by Firewall”, to see the blocked request. If you know that the action was something safe (especially if it was your own visit), you can click the “Whitelist Param from Firewall” button. If you are not sure if the visitor was doing something safe, you should ask for more details about what they were doing at the time the message appeared, and see if you can get the same message yourself.
When installing or updating a new plugin or theme, if multiple actions are blocked or some features do not work, you can turn on Learning Mode again, at the top of the Firewall page. When you turn on Learning Mode manually, it does not expire, unless you choose to use a date when it should be automatically enabled. After trying out all of the pages that were being blocked, any necessary parameters should be whitelisted automatically. You can then review the whitelist and set the firewall status back to “Enabled and Protecting.” It’s important to remember to reenable the firewall or all actions will continue to be whitelisted in Learning Mode.