Bug | Brute Force Feature Allows Processing of WP “Get New Password” Form

  • Resolved Generosus

    (@generosus)


    2 years, 9 months ago

    Good Day!

    Wordfence has a Brute Force feature (or setting) called “Don’t let WordPress reveal valid users in login errors.

    When activated, the feature allows WordPress’ “Get New Password” form to process even though the “Username or Email Address” field is blank.

    Is this the normal, expected behavior when the above-noted WF feature is activated?

    Details:

    https://ibb.co/fHq52Tj
    https://ibb.co/TtTHWcy

    With no backend (email) warning from Wordfence when this happens, we went crazy (and spent a lot of time) trying to figure out why the WordPress form was processing as usual and not giving us an error message when the field was blank.

    Strong Recommendation:

    (1) If the Brute Force feature is activated, send an email to the site administrator when someone clicks “Get New Password” button and the “Username or Email Address” field is blank.

    OR

    (2) Adjust your Brute Force feature code to block the form from processing while displaying on the frontend a unique error message generated by Wordfence.

    Thank you!

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @generosus,

    Regardless of blank input, valid username input or invalid username input the form currently will process.

    As you’ve made a couple of suggestions now that require consideration by plugin development, I recommend submitting future development or bug requests directly to feedback @ wordfence . com so it can be seen immediately by the correct team. We appreciate everybody taking the time to highlight things that might help the Wordfence product and its wider community.

    I’ve put this one forward though so there’s no need to duplicate your efforts. As I mentioned in your other topic, we have internal channels for discussing customer requests and this will be looked at too. Sometimes suggestions will be scheduled or already appear on our schedule, but I can never comment on definite inclusion of a requested feature or delivery timescales here on the forums.

    Thanks again,

    Peter.

    Thread Starter Generosus

    (@generosus)

    Hi @wfpeter,

    Thank you. Point well taken. Will follow your instructions for plugin enhancement or feature requests.

    Cheers!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Bug | Brute Force Feature Allows Processing of WP “Get New Password” Form’ is closed to new replies.