Wordfence Security Improperly Blocks WordPress Users From Uploading Files
When considering WordPress firewall plugins, it is important to consider not only the protection they can provide, but also whether they cause unnecessary problems. On both counts, the most popular security-only WordPress plugin, Wordfence Security, does worse than other options. As an example of the latter element of that, recently someone reported having functionality of their website not work with Wordfence Security enabled:
We upload our newsletter HTML to the media library for distribution.
Uploading the HTML works fine for administrators, but for editors, we receive the error message “Unexpected response from the server. The file may have been uploaded successfully. Check in the Media Library or reload the page.” and the ajax call returns a 403 forbidden.
Disabling Wordfence allows the editor to upload HTML.
Is there a way to configure Wordfence to allow these uploads for editors?
As we try to make sure that our own firewall plugin doesn’t cause problems like that, we looked into this. We found that Wordfence Security does block Editors from uploading HTML files. The logging stated the action was “blocked by firewall for Malicious File Upload in file“. That shouldn’t happen. WordPress explicitly allows users with the Editor role to do that and it also correctly limits lower-level users from being able to do that. Wordfence Security should handle things the same way.
By comparison, our own firewall plugin doesn’t improperly block the request. What looks to be going wrong here is that Wordfence Security has a fairly limited ability to take into account what capabilities a user has, so it doesn’t properly handle blocking requests based on if a user has the unfiltered_html capability or not.
The best solution to a situation like this with Wordfence Security is to replace it with a better developed firewall plugin. That not only allows avoiding improper blocks, but it will mean that more real threats can be blocked as better developed firewall plugins provide more protection than Wordfence Security.