Why You Should Whitelist URLS on WordFence’s Firewall (And How to Do It)

If you’re using Page Builder Sandwich along with Wordfence Security, there’s a chance you might have encountered something called a 403 error.

Now, according to WordPress resource site WPBeginner, 403 errors occur when server permissions don’t allow access to a specific page.

But what does a 403 error mean, and why is it occurring in Page Builder Sandwich in the first place?

The 403 Error Explained

The most common cause of the 403 error is when security plugins aren’t configured in a particular way or standard.

Like WordFence, most security plugins from WordPress restrict some actions if they’re suspected or proven to be malicious. These scenarios usually occur on your WP Admin or WP Login page, or show up as pop-ups alerting you that you don’t have authorization to view your page.

Here’s what the pop-up will look like if you ever encounter it on Sandwich:

So what does this mean? Is Sandwich safe to use? Is WordFence bad? And does the 403 error warrant bad points for both Wordfence and Page Builder Sandwich?

Well, no.

All of this just means that Wordfence is extra careful when scanning your external plugins.

And that’s actually a really good thing, especially since they’re a security plugin.

WordFence is Legit…

WordFence is one of the most popular security plugins for WordPress. It has over a million active installs, so chances are, it’s probably installed on your WP website, too. They exist for a great cause: Not just tokeep your website safe, but to also reduce security risks, and improve your website’s security overall.

tl;dr WordFence is legit.

…And So is Sandwich. But Why Does It Need Whitelisting?

It’s not just Sandwich that WordFence blocks.

Other plugins and URLS require whitelisting (the inverse of blacklisting) on WordFence, too. Some more popular plugins might have been allowed already by Wordfence.

So what’s happening behind the scenes, and where is the 403 error coming from?

Ajax Functions and Page Builder Sandwich

Page Builder Sandwich performs ajax functions throughout your editing experience. Certain plugins do, too.

W3Schools expounds on ajax a little further:

AJAX is a technique for creating fast and dynamic web pages. It allows web pages to be updated asynchronously by exchanging small amounts of data with the server behind the scenes. This means that it is possible to update parts of a web page, without reloading the whole page.

Chart taken from W3Schools

In Page Builder Sandwich, the ajax calls range from getting shortcode mappings, rendering shortcodes to saving your changes. This might cause you to experience problems , such as the 403 error, problems with saving your output, or unrendered shortcodes. This is the time that you might need to whitelist ajax calls specific to Page Builder Sandwich.

Whitelisting Page Builder Sandwich on WordFence

To white list PBS in Wordfence’s Firewall, add an entry in the Whitelisted URLs area with these parameters:

URL: /wp-admin/admin-ajax.php

Param Name: main-content

Param: POST Body

For multisite WordPress installations, it’s a good idea to include your site’s folder name in the URL above. For example: /my-multisite/wp-admin/admin-ajax.php

After adding these values, the 403 Error should be properly addressed, and you should be able to save your output and generate rendered shortcodes again.

This is what it should look like under your WordFence Firewall settings:

Ta-da!

Conclusion

Yes, Page Builder Sandwich is safe to use.

More than that, it only performs ajax actions when in editing mode, and it’s compatible with external plugins and themes (as long as they’re at par with WordPress’ coding standards).

WordFence Security is no different.

But what’s great about them is they give WordPress users the opportunity to keep their sites safe and secure, with the additional option to let you decide which plugins are, and aren’t.


One thought on “Why You Should Whitelist URLS on WordFence’s Firewall (And How to Do It)

  1. I did this exactly as directed, but some pages give the 403 error when calling, and some do not. It appears to me as if it could be happneing based upon the size of data that is being passed by Ajax.

Leave a Reply

Your email address will not be published. Required fields are marked *