WP Firewall - Offending Parameter: metdatacookie - what is it?

In the last 24 hours my Wordpress Firewall has picked up hundreds of alerts that start like this:

Offending Parameter: metdatacookie = 1920!927

The number is often different, but in that format. What follows in a long string of characters etc. Sometimes there is a Google search in it, immediately after my URL, e.g.

Offending IP: 24.255.169.197 [ Get IP location ] Offending Parameter: metdatacookie = 1440!698!http://www.mydomain.com/jack-lee-workout!http://www.google.com/search?q=jack lee workout&sourceid=ie7&rls=com.microsoft:en-us:IE-SearchBox&ie=&oe=&rlz=1I7ADFA_en!3:0t172W01D1LD3S91300yDD3e91010xCD3e91000xMD3e3J03901UKH4G313F14MP4I111L1AuP4J230Q1D13P4M71101DiP4M91101CGP4M71001CSP4M71400CDP4M151105HCD3S370g05x1hD3S150105yDD3S170g06Z2eD3S270L06u1xD3S250L07BXD3S270L07W2TD3S250L07rND3S270L0872bD3S67000872sD3S358P115gP4l315512BH4n3156C3DA4q3162C1BA4s3123E1BA4u9110F0PA4u9113F1BA4s9301331kL4pc100F0oA4s0100F0DA4s-A4s,B1P:1C,BER:3a,cBH_

I am a little concerned…

I installed a new WP theme the other day. Could there be a connection? I have run WP Security scan and it all looked OK, some alerts in the theme but I think only because of includes etc.

I would like to whitelist this if I can as I am losing business if this is OK - hundreds of people each day are being sent to an error page by the Firewall.

it may also have something to do with this:

probably bots copying content.

Interesting, thanks. I am starting to think it is innocent, although still do not really understand it.

I have searched Google for parts (parameters) and many do come up in search strings. Also saw Google toolbar mentioned, and some of the alerts mention Firefox, some IE. So maybe there is a problem at the moment with Google toolbar and the Wordpress Firewall. But I am guess.

We need an expert.

After looking into it I found out that rlz is set by Google Chrome.
http://en.wikipedia.org/wiki/Google_Chrome#Usage_tracking

In your case - that is not valid rlz parameter (because it MUST be 20 characters).
Why that happens and if you should block/whitelist these connections - frankly I don’t know. :wink:
Maybe - some privacy tool regenerates this value, so that user becomes untraceable to google… Maybe - it is some form of attack on something (say google analytics)
Maybe - none of the above. :slight_smile:

Somebody who knows better should clarify this :slight_smile: