: str_replace(): Passing null to parameter #2 ($replace) of type array|string is deprecated in
if (!defined('WORDFENCE_VERSION')) { exit; }
* Presents the Advanced Firewall Options group.
* Expects $firewall, $waf, and $stateKey.
* @var wfFirewall $firewall
* @var string $stateKey The key under which the collapse state is stored.
* @var bool $collapseable If defined, specifies whether or not this grouping can be collapsed. Defaults to true.
$config = $waf->getStorageEngine();
if (!isset($collapseable)) {
<div class="wf-col-xs-12">
<div class="wf-block<?php if (!$collapseable) { echo ' wf-always-active'; } else { echo (wfPersistenceController::shared()->isActive($stateKey) ? ' wf-active' : ''); } ?>" data-persistence-key="<?php echo esc_attr($stateKey); ?>">
<div class="wf-block-header">
<div class="wf-block-header-content">
<div class="wf-block-title">
<strong><?php esc_html_e('Advanced Firewall Options', 'wordfence'); ?></strong>
<?php if ($collapseable): ?><div class="wf-block-header-action"><div class="wf-block-header-action-disclosure" role="checkbox" aria-checked="<?php echo (wfPersistenceController::shared()->isActive($stateKey) ? 'true' : 'false'); ?>" tabindex="0"></div></div><?php endif; ?>
<div class="wf-block-content">
<ul class="wf-block-list">
echo wfView::create('options/option-toggled', array(
'optionName' => 'disableWAFIPBlocking',
'value' => wfConfig::get('disableWAFIPBlocking') ? 1 : 0,
'title' => __('Delay IP and Country blocking until after WordPress and plugins have loaded (only process firewall rules early)', 'wordfence'),
'subtitle' => ($firewall->isSubDirectoryInstallation() ? __('You are currently running the WAF from another WordPress installation. This option can be changed once you configure the firewall to run correctly on this site.', 'wordfence') : ''),
'helpLink' => wfSupportController::supportURL(wfSupportController::ITEM_FIREWALL_WAF_OPTION_DELAY_BLOCKING),
'disabled' => $firewall->isSubDirectoryInstallation(),
echo wfView::create('options/option-textarea', array(
'textOptionName' => 'whitelisted',
'textValue' => wfUtils::cleanupOneEntryPerLine(wfConfig::get('whitelisted')),
'title' => __('Allowlisted IP addresses that bypass all rules', 'wordfence'),
'subtitleHTML' => wp_kses(__('Allowlisted IPs must be separated by commas or placed on separate lines. You can specify ranges using the following formats: 127.0.0.1/24, 127.0.0.[1-100], or 127.0.0.1-127.0.1.100<br/>Wordfence automatically allowlists <a href="http://en.wikipedia.org/wiki/Private_network" target="_blank" rel="noopener noreferrer">private networks<span class="screen-reader-text"> (opens in new tab)</span></a> because these are not routable on the public Internet.', 'wordfence'), array('br'=>array(), 'a'=>array('href'=>array(), 'target'=>array(), 'rel'=>array()), 'span'=>array('class'=>array()))),
'subtitlePosition' => 'value',
'helpLink' => wfSupportController::supportURL(wfSupportController::ITEM_FIREWALL_WAF_OPTION_WHITELISTED_IPS),
$whitelistedServices = wfConfig::getJSON('whitelistedServices', array());
$whitelistPresets = wfUtils::whitelistPresets();
foreach ($whitelistPresets as $tag => $preset) {
if (!isset($preset['n'])) { continue; } //Not named, omitted from configurable list
if ((isset($preset['h']) && $preset['h']) || (isset($preset['f']) && $preset['f'])) { continue; } //Flagged as hidden or always enabled, omitted from configurable list
$names[$tag] = $preset['n'];
if (!isset($whitelistedServices[$tag]) && isset($preset['d']) && $preset['d']) {
$whitelistedServices[$tag] = 1;
foreach ($names as $tag => $name) {
'name' => 'whitelistedServices.' . preg_replace('/[^a-z0-9]/i', '', $tag),
'value' => (isset($whitelistedServices[$tag]) && $whitelistedServices[$tag]) ? 1 : 0,
echo wfView::create('options/option-toggled-multiple', array(
'title' => __('Allowlisted services', 'wordfence'),
'id' => 'wf-option-whitelistedServices',
'helpLink' => wfSupportController::supportURL(wfSupportController::ITEM_FIREWALL_WAF_OPTION_WHITELISTED_SERVICES),
echo wfView::create('options/option-textarea', array(
'textOptionName' => 'bannedURLs',
'textValue' => wfUtils::cleanupOneEntryPerLine(wfConfig::get('bannedURLs')),
'title' => __('Immediately block IPs that access these URLs', 'wordfence'),
'subtitle' => __('Separate multiple URLs with commas or place them on separate lines. Asterisks are wildcards, but use with care. If you see an attacker repeatedly probing your site for a known vulnerability you can use this to immediately block them. All URLs must start with a "/" without quotes and must be relative. e.g. /badURLone/, /bannedPage.html, /dont-access/this/URL/, /starts/with-*', 'wordfence'),
'subtitlePosition' => 'value',
'helpLink' => wfSupportController::supportURL(wfSupportController::ITEM_FIREWALL_WAF_OPTION_IMMEDIATELY_BLOCK_URLS),
echo wfView::create('options/option-textarea', array(
'textOptionName' => 'wafAlertWhitelist',
'textValue' => wfUtils::cleanupOneEntryPerLine(wfConfig::get('wafAlertWhitelist')),
'title' => __('Ignored IP addresses for Wordfence Web Application Firewall alerting', 'wordfence'),
'subtitle' => __('Ignored IPs must be separated by commas or placed on separate lines. These addresses will be ignored from any alerts about increased attacks and can be used to ignore things like standalone website security scanners.', 'wordfence'),
'subtitlePosition' => 'value',
'helpLink' => wfSupportController::supportURL(wfSupportController::ITEM_FIREWALL_WAF_IGNORED_ALERT_IPS),
echo wfView::create('waf/option-rules', array(
</div> <!-- end advanced firewall options -->
<script type="text/x-jquery-template" id="waf-rules-tmpl">
<table class="wf-striped-table">
<th style="width: 5%"></th>
<th><?php esc_html_e('Category', 'wordfence'); ?></th>
<th><?php esc_html_e('Description', 'wordfence'); ?></th>
{{each(idx, rule) rules}}
<tr data-rule-id="${rule.ruleID}" data-original-value="{{if (!disabledRules[rule.ruleID])}}1{{else}}0{{/if}}">
<td style="text-align: center">
<div class="wf-rule-toggle wf-boolean-switch{{if (!disabledRules[rule.ruleID])}} wf-active{{/if}}<?php echo ($firewall->isSubDirectoryInstallation() ? ' wf-disabled' : ''); ?>"><a href="#" class="wf-boolean-switch-handle"></a></div>
<td>${rule.category}</td>
<td>${rule.description}</td>
{{if (rules.length == 0)}}
<td colspan="4"><?php esc_html_e('No rules currently set.', 'wordfence'); ?> <?php if (!($firewall->protectionMode() == wfFirewall::PROTECTION_MODE_EXTENDED && $firewall->isSubDirectoryInstallation())) { echo wp_kses(__('<a href="#" onclick="WFAD.wafUpdateRules();return false;" role="button">Click here</a> to pull down the latest from the Wordfence servers.', 'wordfence'), array('a'=>array('href'=>array(), 'onclick'=>array(), 'role'=>array()))); } ?>
<tr id="waf-show-all-rules">
<td class="wf-center" colspan="4"><a href="#" id="waf-show-all-rules-button" role="button"><?php esc_html_e('SHOW ALL RULES', 'wordfence'); ?></a></td>
<script type="application/javascript">
$(window).on('wordfenceWAFConfigPageRender', function() {
delete WFAD.pendingChanges['wafRules'];
//Add event handler to rule checkboxes
$('.wf-rule-toggle.wf-boolean-switch').each(function() {
$(this).on('keydown', function(e) {
$(this).find('.wf-boolean-switch-handle').trigger('click');
$(this).on('click', function(e) {
$(this).find('.wf-boolean-switch-handle').trigger('click');
$(this).find('.wf-boolean-switch-handle').on('keydown', function(e) {
$(this).trigger('click');
$(this).find('.wf-boolean-switch-handle').on('click', function(e) {
var control = $(this).closest('.wf-boolean-switch');
var row = $(this).closest('tr');
var ruleID = row.data('ruleId');
var value = control.hasClass('wf-active') ? 1 : 0;
control.removeClass('wf-active').attr('aria-checked', 'false');
control.addClass('wf-active').attr('aria-checked', 'false');
var originalValue = row.data('originalValue');
if (originalValue == value) {
delete WFAD.pendingChanges['wafRules'][ruleID];
if (Object.keys(WFAD.pendingChanges['wafRules']).length == 0) {
delete WFAD.pendingChanges['wafRules']
if (!(WFAD.pendingChanges['wafRules'] instanceof Object)) {
WFAD.pendingChanges['wafRules'] = {};
WFAD.pendingChanges['wafRules'][ruleID] = value;
$(control).trigger('change', [false]);
WFAD.updatePendingChanges();
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
