Plugin Support
Jeremy
(@jeremrm)
Hello @topcat,
Thank you for your query and we are so sorry about the trouble this must have caused.
The alert from Wordfence is a false positive, so nothing is actually unsafe. To resolve it, you’ll simply need to whitelist the Rank Math REST API path inside Wordfence.
Please try updating a post using the affected user role, then open Wordfence → Tools → Live Traffic. You should see a log entry for the updateMeta route. Add that entry to your allowlist, and Wordfence will stop blocking it for all user roles.
Here’s our step-by-step guide for reference: https://rankmath.com/kb/whitelist-rank-math-in-wordfence/#whitelist-rank-math-in-wordfence
Hope that helps.
Thread Starter
topcat
(@topcat)
Thanks for the quick response! I whitelisted it, but instead of showing
/wp-json/rankmath/v1/updateMeta
in the list I’m seeing
/wp-json/rankmath/v1/updateRedirection
Plugin Support
Jeremy
(@jeremrm)
Hello @topcat,
If you’re seeing /wp-json/rankmath/v1/updateRedirection, that’s perfectly fine, it simply means that the updateMeta route may already be allowed, or Wordfence flagged a different Rank Math endpoint during your last action.
To ensure everything works smoothly, you can whitelist the remaining Rank Math REST API routes as well. This will prevent Wordfence from blocking any of Rank Math’s core features and will ensure full compatibility moving forward.
Let us know how that goes. Looking forward to helping you.
Plugin Support
Miguel
(@miguelrm)
Hello @topcat,
We just wanted to reach out to let you know that the vulnerability you reported is only applicable to versions 1.40.2 and lower of the Free plugin but we are now on version 1.0.258, which means this issue has been fixed for a long time.
Thank you.
