I had had an annoying problem where I’d log into one of my WordPress sites, then attempt to change the side bar and remove (say) a block of code that pulls in an iframe from another site (i.e. Twitter or Amazon or whatever) I got blocked by my security Wordfence plugin with a XSS cross scripting error. The actual site works fine it is just the admin cannot change anything. I first fixed this back in 2020, then forgot about it. I then changed my admin URL (i.e. broadband provider) and it re-appeared. Now as a penance I’m writing it up.
When I tried and change anything using Appearance → Customise in WordPress dashboard the item I want to change gets blocked with this “Potentially Unsafe operation” on the left:
Later I receive my Wordfence email outlining Wordfence activity and I get this sort of thing in the “Recently Blocked Attacks” section.
The IP address (blanked out in the “Blocked Attacks” image) is my own. Wonderful though the Wordfence plugin is (and it really IS wonderful!) it is blocking me from changing anything! Which is rather sub-optimal, although I can still post.
The fix is simple – when you know where it is in the Wordfence plugin.
Select the Wordfence top level menu item in the WordPress Dashboard. Then select the “Live Traffic” Tab. You will see a list of blocked activities. Identify the one that has your IP address on it and then click on the “eye” on the far right of the summary line.
After you have clicked the “eye”, you then get this.
Select the “ADD PARAM TO FIREWALL ALLOW LIST” Then you are done! Your false Wordfence XSS Cross Scripting Error should go away.
You can now check that this has been implemented (and also exactly who is allowed to bypass the firewall) by clicking on the “All Options sub-menu item in the Wordfence menu in the WordPress dashboard.
In the “Rules” section make sure “whitelist” is on. (It should be) Then go down to “AllowListedURLs” and expand it. Here you should see your newly whitelisted URL. You can turn it (and any other ones) on and off from this menu too. I did not need to log out/in for changing enable/disble to work but you may need to.
Anyway hope that helps.