Wordfence dashboard link generates a double URL in the path

Hi
In my Wordfence Dashboard I have an issue notification and when I click on this notifcation ideally it should take me to the issue page with the details .. instead it takes me to the login page which is fine but on providing the login details it doesn't do anything.. it just stays on the login page..
I thought it was Wordfence issue and I created a ticket for this on their site and they recreated the issue and found that the login path being created had a double slash in the URL and they suggested that there was an issue in the sites rewrites part.. here's their mail to me..
__________________________
On Tue, Mar 19, 2019 at 11:30 AM Wordfence Premium Support <tickets@wordfence.com> wrote:
Hi Alim,?
?I just looked at this and can recreate the problem. I see the possibility you've got some misconfiguration going on:?
1) A sign some rewrites might not be correct with the doubling of the // in the url like:
https://fourplusmedia.com//wp-admin/network/admin.php?page=WordfenceScan
?
If I use the link in proper form https://fourplusmedia.com/wp-admin/network/admin.php?page=WordfenceScan the logout issue does not happen.
____________________

Please advise

  • Alim Bolar
    • Site Builder, Child of Zeus

    Not sure if it's connected but I, as super admin, can log in to the main site with my login but when I use by subdomain.com/wp-admin the same login details do nothing.. I have a feeling the 2 issues are connected.. hence this addition to the query above

  • Ash
    • WordPress Hacker

    Hello Alim Bolar

    Please go to Dashboard > Settings > General > And check WordPress address and Site Address both are https://fourplusmedia.com (no trailing slash).

    Also, go to Network Admin > Sites > Edit each site > Options > And check the same.

    If there is no trailing slash, please share your htaacess. If the htaccess file is big, please use http://pastebin.com and share the URL and I will take a look.

    Have a nice day!

    Cheers,
    Ash

  • Alim Bolar
    • Site Builder, Child of Zeus

    Hi Ash

    I could not find the Wordpress Address and Site Address in Dasboard>Settings>General (I am assuming you meant the FourPlusMedia (Main Site) Dashboard)

    Bu for the subsites in Network Admin > Sites > Edit each site > Options > I could see that there was a trailing slash.. and it was editable

    In this same view for the main site I am attaching the screenshots, for the main site (fourplusmedia.com) the site URL was not editable... please advise..

  • Ash
    • WordPress Hacker

    Hello Alim Bolar

    Yes, you are right. For the main site, info tab will show trailing slash and in the settings section there is no trailing slash. And it's not editable for the main site.

    Would you please post your htaccess here? If htaccess is good, then we need to see the code of how WordFence generates the URL.

    Have a nice day!

    Cheers,
    Ash

  • Alim Bolar
    • Site Builder, Child of Zeus

    Hi Ash..

    Here's my htaccess

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]

    # add a trailing slash to /wp-admin
    RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

    RewriteRule ^(.*/)?sitemap.xml wp-content/sitemap.php [L]

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
    RewriteRule ^(.*\.php)$ $1 [L]
    RewriteRule . index.php [L]

    # BEGIN WP-HUMMINGBIRD-CACHING

    # END WP-HUMMINGBIRD-CACHING

    # Wordfence WAF
    <IfModule mod_php7.c>
    php_value auto_prepend_file '/var/www/fourplusmedia.com/wordfence-waf.php'
    </IfModule>
    <Files ".user.ini">
    <IfModule mod_authz_core.c>
    Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
    </IfModule>
    </Files>

    # END Wordfence WAF

  • Ash
    • WordPress Hacker

    Hi there

    Would you please keep a backup of current htaccess and try default htaccess?

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # add a trailing slash to /wp-admin
    RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
    
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
    RewriteRule ^(.*\.php)$ wp/$1 [L]
    RewriteRule . index.php [L]

    If it still doesn't work, then would you please ask the wordfence team for the snippet where the URL is generated in their code?

    Cheers, Ash

  • Alim Bolar
    • Site Builder, Child of Zeus

    hi ash,

    is the the default one?

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]

    # add a trailing slash to /wp-admin
    RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
    RewriteRule ^(.*\.php)$ wp/$1 [L]
    RewriteRule . index.php [L]

    just wanted to confirm before i go ahead and do it?

    and yes will ask wordfence for this too...

  • Alim Bolar
    • Site Builder, Child of Zeus

    Hi Ash

    I got a response from Wordfence and they concerned with one of the lines in the default .htaccess

    # add a trailing slash to /wp-admin
    RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

    anyways here's their response.. please do check..

    Hi Alim,
    ?
    I got a quick response back from our team "we generate all URLs to wp-admin pages with admin_url and network_admin_url". These are default WordPress core ?functions.
    ?
    it definitely appears that the changing the wp-admin URL specifically with this rewrite may be the cause:
    # add a trailing slash to /wp-admin
    RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

    You might also check for other WPMU filters on home_url or siteurl.

  • Ash
    • WordPress Hacker

    Hello Alim Bolar

    RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

    This is from the default htaccess, so should not be any issue.

    Did you try a plugin conflict test? Like disabling all other plugins except WordFence just to check if anything is not interfering.

    Otherwise, if you can get the line of code where it is generated (not just the function name, but the full line), I can help you to customize a bit so that one slash is removed.

    Cheers,
    Ash

  • Alim Bolar
    • Site Builder, Child of Zeus

    Hi Ash

    I got the response below from Wordfence.. can you please advise?

    Hi Alim,
    ?
    The best tip I had given previously to debug this was to comment out this custom part of your .htaccess file:
    ?
    # add a trailing slash to /wp-admin
    RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
    ?
    After making that change you'll need to have Wordfence run a new Scan and wait till it completes to see if that results in the Wordfence Dashboard notification links no longer having the double-slash issue "//wp-admin" in the URL.
    ?
    If that doesn't work, then debugging further would involve you giving some feedback to WPMUdev about how those Dashboard notification links are static links only generated when the Wordfence Scan runs. Debugging further would involve disabling plugin by plugin, testing with a new Wordfence Scan with each disabling plugin.
    ?
    Keep in mind that everything with the Wordfence plugin Scans and Firewall is functioning properly. Your site is fully protected, even though that particular Wordfence Dashboard link does not work. Your site is also clean and the Site Cleaning we conducted as part of this ticket gives you a 90 day malware free guarantee.
    ?
    If you'd like to coordinate with our plugin support team for further followup about the dashboard link double-slash problem, just let me know and I'll pass off followup to them. They will best be able to respond and followup with you about this issue in particular. I hope that makes sense.
    ?
    Regards,
    ?
    Charles

  • Nithin
    • Support Wizard

    Hi Alim Bolar,

    Hope you are doing good today. :slight_smile:

    Basically I'd like to know from you whether I can or should disable the line below

    # add a trailing slash to /wp-admin
    RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

    The mentioned line is part of the default .htaccess file of WordPress. Reading the response from WordFence support in the previous reply, the support team meant more about comment out custom .htaccess rules added other than the following default ones:

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # add a trailing slash to /wp-admin
    RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
    
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
    RewriteRule ^(.*\.php)$ wp/$1 [L]
    RewriteRule . index.php [L]

    The Wordfence plugin should work with the above .htaccess rules, and commenting out the mentioned line isn't required. However, if you notice the same issue even with default WordPress rules, then it's something you'll have to follow up with your WordFence support team so that they could help get you sorted asap.

    Please do let us know if you have any further query. Have a nice day ahead. :slight_smile:

    Regards,
    Nithin

  • Alim Bolar
    • Site Builder, Child of Zeus

    Hi Nithin

    I have some updates from the Wordfence guys.. they do want me to do the plugins conflict test but before that I would like to share with you their response and I'd appreciate if you could get back to me asap on the two variables they mentioned they were using.. if there's anything in the .htaccess that you think that could affect those 2 variables.. $myHomeURL and $myOptionsURL (Are these regular WordPress Variables?)

    These URLs are generated and pulled from the default WordPress site URLs which are configured to your site either via the wp-config.php file (if you have them set manually) or via WordPress's Settings > General > WordPress Address (URL) & Site Address (URL).

    The last one looks different in your email because in the code I see we are grabbing the base URL, (getSiteBaseURL), where-as the others above, which are showing incorrectly for you use $myHomeURL and $myOptionsURL.

    We have seen this a few other times and WPMUDev customizations, URL filtering and different rewrites, perhaps in the .htaccess file have been the cause in the past. Starting with the plugins disabled will be a good start.

  • Nithin
    • Support Wizard

    Hi Alim Bolar,

    Sorry for the delay in getting back to you. The variables $myHomeURL, and $myOptionsUR are part of WordFence, and not WordPress. I suppose they meant they are using the WordPress default Site URL, and Home URL for these variable.

    This could be either due to incorrect htaccess rules or with a plugin conflict. If switching to default .htaccess rules still cause the same issues, then a plugin conflict test would be the basic troubleshooting method. We did ask about that initially in the ticket response in here:
    https://premium.wpmudev.org/forums/topic/wordfence-dashboard-link-generates-and-double-url-in-the-path#post-1390129

    Plugin conflict test is the basic troubleshooting methods to check where a conflict resides, ie in this case, whether it's with WordFence or some other plugin, or theme etc

    Please check this flow chart on how to perform a conflict test:
    https://premium.wpmudev.org/wp-content/uploads/2015/09/Support-Process-Support-Process.gif

    Which should give you a better idea about what's causing this. Hope that helps. Have a nice day ahead. :slight_smile:

    Regards,
    Nithin

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.