HTTP API Call → 404 error perhaps at licence check with my.snicco.io

Markus Raab

I am troubleshooting something on a site, and occasionally I see a 404 error in Query Monitor that probably goes back to licence checking of CommandUI.

The URL looks like this (I retracted some parts of it as I am not sure if it should be public)
https://my.snicco.io/api/v0/update/prod_01j1234567890/1.1.0
If I open it manually it shows me {"errors":["Missing Authorization header"]}

Query Monitor shows some more details:

Snicco\CommandUI\checkForUpdate()
wp-content/plugins/commandui/src/licensing/sdk.php:323
Snicco\CommandUI\{closure}()
wp-content/plugins/commandui/src/licensing/updater.php:178
apply_filters('site_transient_update_plugins')
wp-includes/plugin.php:205
get_site_transient()
wp-includes/option.php:2603
wp_get_update_data()
wp-includes/update.php:917

I noticed this already a few months ago, just never had the time to report it. I cannot estimate how critical this is. I usually do not have Query Monitor installed so I can't say if its happening to all sites.

I hope this information helps to estimate what's going on.

Thanks

Markus

Calvin Alkan

Markus Raab

What CommandUI version are using on that site?

Markus Raab

Calvin Alkan Good point - it does not show me the update on that site, so I did not notice. I never manually uploaded but bulk uploaded your plugin to all my desired sites back then when you introduced updates via wp-admin. But it was still on 1.1 - now it's on 1.8.

I'll check via MainWP if there are any other sites where it did not update.

Calvin Alkan

Markus Raab

You could Download 1.7 from the account area. And then see If 1.8 shows as an available update.

Markus Raab

Calvin Alkan I uploaded already straight to 1.8. On the particular site I run some Cloudflare WAF rules as well. I just didn't document which rule I enabled when and how it correlated with the dates of releases of CommandUI. But with the latest information that sounds like it could be related.

From which version on did you included the update feature in CommandUI?

Markus Raab

@Calvin Alkan On that particular site I now tried 1.7 and I can see not updates. This all goes back at least many weeks if not months. I did not have many rules at Cloudflare WAF back then. It must have been this one: if (ip.src.country eq "US") the Cloudflare Managed Challenge

The question is how can I exclude or whitelist it to make the updates work?
And how often will it check so that I know how to test it?

Currently I am testing a more advanced set of rules: https://webagencyhero.com/cloudflare-waf-rules-v3/

Fur further testing I paused Cloudflare. I also paused Wordfence. No other site uses Wordfence. However, both did not make a difference (but maybe it only checks once a day)

Markus Raab

Update: I think it's not only Cloudflare WAF rules but Wordfence or both. I am using Ninja Firewall normally, just on that site there still is Wordfence from the previous WordPress guy

I modified a rule at Cloudflare and added: and not http.referer contains "snicco"

I also have a copy of the site on a different hosting now because of another troubleshooting case, same sub(domain) and same Cloudflare proxying.

→ Live hosting + Wordfence enabled → do not see update yet
→ Dev hosting + Wordfence disabled → suddenly I see the update, maybe it checks 1x per day

Markus Raab

Hey @Calvin Alkan I still do not get the update. I don't see it in the Cloudflare logs either. What must be whitelisted or excluded from security rules to make the auto updates work?