The 404 Blocking rule in Really Simple Security’s Firewall helps protect your site against malicious scanning attempts by blocking IP addresses that generate too many 404 Not Found errors while scanning your site for vulnerabilities (a detailed explanation is available here).
If you see the following notice appear on the Really Simple Security Dashboard, this means that the plugin has detected 404 Not Found errors on the homepage of your site. In such cases, the plugin automatically deactivates the 404 Blocking rule to avoid legitimate visitors from being blocked by the Firewall.
This article explains exactly what the notice refers to, and how you can typically fix resources returning a 404 Not Found error on your website.
404 Not Found errors detected on your homepage: 404 blocking is unavailable
So, why exactly does Really Simple Security disable the 404 Blocking rule when it detects 404 Not Found errors on the homepage of your site?
Let’s say that your website’s homepage contains various invalid resources, such as images, scripts or stylesheets. For example: you used to have an image displayed on your homepage, but at some point, you removed the image file from your server (and now your homepage is still trying to load that deleted image).
This means that when a visitor opens your website in their browser, their browser automatically tries loading the deleted image. But as it no longer exists, this will result in a 404 Not Found error instead. If there are multiple invalid resources being loaded, this could lead to legitimate visitors unexpectedly exceeding the 404 Blocking threshold of the Firewall, resulting in a temporary lock-out.
How to locate and fix 404 Not Found errors on a WordPress site
But how do you actually fix such a 404 Not Found error on a WordPress site? You can either re-upload the missing resource at it’s expected location after which it can load correctly again, or, remove any references to the deleted resource from your site’s pages.
The following resources will trigger a 404 Not Found error when they are no longer available:
- Scripts (
<script>tags) trying to load missing JavaScript files - Stylesheet (
<link>) references to missing CSS files - Image tags (
<img>) with invalid sources
To determine which resource is causing the 404 error on your site, start by visiting the relevant page in your browser. We will use the homepage of the site in this example. Then open the Developer Tools of your browser (Ctrl + Shift + I on Windows / CMD + Option + I on Mac).
Method #1: Using the “Console” tab
With the Developer Tools opened in your browser, navigate to the Console tab. If you have 404 Not Found errors on the page, they will be listed here.
In our example, the “main-header.jpeg” image of the site was removed from the server. But since it is still used somewhere on the homepage, visiting the page will attempt to load that non-existent image which results in a 404 Not Found error.
As the error message mentions the exact location where this file used to be present, we can simply re-upload a new main-header.jpeg file to that location (/wp-content/uploads/ in the above example) to solve the 404 about it.
Method #2: Using the “Network” tab
With the Developer Tools opened in your browser, navigate to the Network tab, and refresh the page once when you have the Network tab selected. You should now see many resources appearing in the list.
Click the Status tab to filter by status and look for any “404” statuses. These are the resources that can’t load correctly because of a 404 Not Found error code.
In the above screenshot, it concerns the same main-header.jpeg file as in the previous example. You can click the underlined text under the Initiator tab to see the full path/location of the missing resource, allowing you to re-upload the file at it’s expected location.
Rechecking the status in Really Simple Security
Now that you’ve fixed the 404 errors, you can navigate back to the Really Simple Security Dashboard and click the Re-check button next to the 404 Errors Detected notice.
This will restart the test and should result in the Dashboard Notice disappearing, provided that all of the previously detected 404 errors have been resolved.
