test after hack
The Wordfence Web Application Firewall blocks requests (visits) to your site that match specific patterns. For example, if a visitor makes a request with a query string that includes a pattern such as “../../” Wordfence detects it as a Directory Traversal attack and will block that request. Sometimes WordPress plugins and themes will exhibit behavior that resembles known attack patterns, which may then result in the firewall blocking something that is not actually malicious. This is called a false positive.
To prevent false positives from causing problems with the functionality of your site, the Wordfence Firewall has a feature called “Learning Mode.” When Learning Mode is active, Wordfence will whitelist requests that resemble attack patterns. Had the “Web Application Firewall Status” been “Enabled and Protecting,” the requests would instead have been blocked. When a request is whitelisted it is considered safe and will not be blocked, unless it is removed from the whitelist.
It’s important to understand that your site is not protected from certain complex attacks while it is in Learning Mode.
When Learning Mode is active, some requests that look suspicious are whitelisted. Other parts of the firewall remain fully active, including Brute Force Protection, Login Security, Blocking features, and the Real-Time IP Blacklist (premium). If you are installing Wordfence because your site was recently hacked or because your site is currently under attack, you should not use Learning Mode.
To view the current firewall status, or to change the firewall status to Learning Mode, you can do this from two areas of the plugin. You can open the ‘Firewall’ page. On the ‘Firewall’ page click on ‘All Firewall Options’. You can then view or change the firewall status in the ‘Web Application Firewall Status’ section. Alternatively, you can expand the ‘Basic Firewall Options’ section on the ‘All Options’ page and view or change the firewall status in the ‘Web Application Firewall Status’ section.
How to Use Learning Mode
When Wordfence is first installed, Learning Mode will be active for seven days, but you can choose a different time period on the Firewall Options page, if desired.
When Learning Mode is active, you should visit your site and perform everyday tasks as you usually would. Try to use all of the features of your site. The more features you use during this period, the less likely you are to run in to unwanted blocks of valid actions in the future.
For example, you may want to try each of these:
- Write and publish posts and pages
- Change theme styles
- Change plugin settings
- Add or remove widgets
- Write or moderate comments
- Use all of your other plugins’ features