Woo password reset unknown user redirects to 404

Hi @artifexmedia, thanks for getting in touch over this.

In the Brute Force Protection section on the Wordfence > All Options page can you disable the option “Don’t let WordPress reveal valid users in login errors“?

Remember to press the SAVE CHANGES button.

Let me know what happens when you try using an invalid email on the WooCommerce password reset form.

Thanks,

Peter.

Hey @wfpeter,

Lifesaver, thanks!
Is there any reason the redirect goes wrong though? Can we possibly get a fix for that or is it not possible?

Hi @artifexmedia,

Glad to be of assistance! The redirect (when that setting is enabled) goes wrong because the option to hide whether the user was not found doesn’t want to take the visitor to the default path. This does allow attackers to determine if a user exists or not since there’s a separate redirect to my-account/lost-password/?reset-link-sent=true if the user exists.

We currently have a development case open to deal with this differently for customers with the option enabled. I cannot however comment on delivery timescales here on the forums.

Thanks,

Peter.

WFPeter – Any update on this? I’m experiencing this too with my site, creating 404’s and I don’t want to disable this security setting. Is there any place I can follow the dev notes so that I can see when this is resolved?

I’d like to have an update too.

This is far from a minor issue and it still happens 4 months later.

Thank you in advance!

I am also looking for a solution to this issue. I’m not convinced this thread should be marked as Resolved as the workaround isn’t a good resolution.

Thank you.

I don’t think this topic is on their radar because it was marked as resolved. Since I posted over a week ago, only other users have posted after me.

I have created a new thread that is unanswered and linked to this one for reference.

New thread: https://www.ads-software.com/support/topic/password-reset-redirects-to-404/

@wfpeter I have reopened this, to see if this appears on Wordfences radar.

This fix should be implemented as promised, could you update us?

We have provided a workaround for you in the meantime. We work issues in the order of priority and sometimes what is an issue to you is not as important to others. We’ll work on it as soon as we can as we value all our users regardless of their license type. However, with roughly 85% of our users having the free plugin our resources are unfortunately limited. Hopefully we will get this in an upcoming release soon.

Tim

Hi Tim,

I am a paid user and would like this addresses ASAP.