Customizing Block & Locked Messages from Wordfence

I originated that thread asking about customized locked message. Thanks Azrobbo for resurrecting the concept and sharing the latest files that one would customize to do this. Everyone, be advised that while this is a good thing to do for a number of reasons, the changes you make get written over each time Wordfence updates (which is quite frequently).

My main reason for my customizing was to reduce bandwidth, as the blocked message gets loaded thousands of times on a heavily bot-attacked website. But reducing the amount of information you’re offering up to criminals is a good idea as well.

Mainly, what we indeed need is the _option_ to use customized block messages.

Please Wordfence.

Azrobbo, be sure to test your customized block message, I vaguely recall from my last go-around with this, that the customization location within Wordfence may have changed.

MTN

• This reply was modified 7 years, 8 months ago by mountainguy2.

Thanks for the feedback, MTN, and thanks for your original post last year.

I tested them about a month ago for the various locked-out & blocked scenarios. Although, it would probably be prudent to test them periodically to make sure they still function as expected.

I have a shell script which copies these files after an update. Now, I just need to implement a trigger so that it automatically occurs when the plugin has updated.

Hello,

Thanks for the feedback. We don’t have this feature at the moment but your suggestion has been noted.

Azrobbo, isn’t it problematic automating the customization, as copying older Wordfence core files over those of an update could cause problems due to the new files possibly being different in various ways?

In my case, I just made some boiler plate that I copy-paste into the files. But I’m getting burned out on doing the change every time Wordfence updates. Makes me dread their updates.

In any case, I hope other users see this thread and also take a look at the Wordfence block message and see the extensive information it gives criminals attacking a website.

MTN

• This reply was modified 7 years, 8 months ago by mountainguy2.
• This reply was modified 7 years, 8 months ago by mountainguy2.

Hi MTN,

I agree that copying over the files has a degree of danger, and that your method is theoretically safer. But, unless Wordfence significantly changes the way they use those files, overwriting them can’t really cause any problems. (note: I only over-right these two files & I’ve been over-writing them for a while now without issue.)

This is because (in recent / current versions of Wordfence):

• even though they are php files, they don’t do anything other than determining how much info to display & display it. (i.e. They either display an excessive amount of info, or an obscene amount of info – from a security perspective)
• essentially, they are functioning like HTML files containing text that gets displayed when called (which happens on lockout or blocking)
• they return no information back to the calling functions
• So, unless wordpress completely changes why or how these files are used replacing them should have no effect.

I’m looking to implement some sort of automated solution. Although I’m still conceptualizing the logic for my automation but it will probably function along these lines:

• It will make a backup of the “default” files after a plugin upgrade
• Compare the new “default” files against the previous “default” files (the backups from the previous version)
• If they’re the same (i.e. Wordfence hasn’t changed those files), then it will automatically overwrite them with my custom files.
• If the new “default” files are different, it will send me an alert (so I can inspect them manually) and leave them intact.
• I haven’t determine how to automate them but the WordPress action hook upgrader_process_complete looks promising

I’ve moved my custom files to a GitHub repo, the repo contains:

• my custom files
• screenshots of my custom files
• screenshots of the default files
• description of how I find the defaults lacking (from a security perspective)
• I will add an installation and/or automation script when developed (unless WordPress fixes this before them).

I welcome any feedback, comments and criticism. Feel free to post in the repo if you’d like.

Robert.

• This reply was modified 7 years, 7 months ago by azrobbo. Reason: changed from markup to html (cough)
• This reply was modified 7 years, 7 months ago by azrobbo.
• This reply was modified 7 years, 7 months ago by azrobbo.

@wfphil – Thanks for taking this feedback and noting it as a feature request.

First – I love your product, feel like you give out a tremendous value in the free version, and the paid version is every better.

My ask is simple – Can you please allow us to specify custom PHP files for “block” and “lock” – alternatively, allow us to run a script (to re-copy customizations) after the plugin is updated?

I realize (from the thread linked above) that you were focused on users who were getting incorrectly locked out. I understand the desire to please needy customers, and it is noble.

Unfortunately, it is misplaced. As a security product, you should be focused on security first and user-friendliness second. The defaults should be locked down, with an option to make it user friendly – not vice versa (as it is now with no option to lock-down).

I strongly suspect that the only reason more people haven’t raised issues about the default messages is that they haven’t seen them.

A couple of questions that make my skin crawl when I see the default messages:

• They are so user friendly, it’s as if you don’t expect any bad actors (like hackers) to see them. Did you even consider this possibility?
• Why do you brand them “generated by Wordfence”? Do you envision that either the hackers or locked-out users are potential customers? (One is trying to defeat you, the other is likely upset with you.)
• Do you realize how many WordPress sites are out there with exactly ONE user that logs in and that’s it? They have zero interest in being friendly to anyone entering incorrect passwords and/or getting locked out.

I have a full list of “security issues” with the default messages listed in the README in my GitHub repo, and I sincerely hope you’ll take the time to review them.

Again, I actually do love your product – I just really hate this one “default” that breaks so many security best-practices.

Thanks,
Robert.

• This reply was modified 7 years, 7 months ago by azrobbo. Reason: changed from md to html

Hello Robert,

I have passed on your request for us to have a further look for you.

Hi azrobbo,
Phil asked me to have a look at your feedback. We do appreciate user feedback on Wordfence, and we end up implementing a lot of suggestions our customers make eventually. This particular issue (custom block pages) has come up a few times in the past, but not frequently enough to make it a priority. To answer your questions

1. Of course we realize that attackers will hit the block pages. However, our customers are in control of their own blocks and therefore there will always be humans that get blocked intentionally, and sometimes unintentionally.

2. Mentioning Wordfence on the block pages makes it easier to debug false positive blocks. We don’t see any risk in attackers knowing which software they were blocked by. A) They could figure that out anyways if they actually cared and B) Trying to hide is not a reliable security principle. For more on that see the concept of “security through obscurity“.

3. People manage to lock themselves out sometimes. That’s a far bigger concern to us than that an attacker would see the word “Wordfence” on a block page. I’ll also add that the vast majority of attacks against WordPress sites are bots programmed to run tests on WordPress sites to see if they can get in. They don’t actually care why they get blocked, they just automatically move on to the next site until they find one that is vulnerable.

I hope that answers your questions. And again, thanks for your feedback. We may implement some version of custom block pages in the future it’s just not at the top of our list right now.

Have a great day!

For what it’s worth. I would like to add my support for the option of implementing a more secure block message. At least give us the option. Right now it is a huge hassle to upload a customized block message every time a new version of WordFence is released. Hats off to azrobbo for creating a git repo with instructions! Thank You! But WordFence should make this a simple checkbox in the Admin UI. Please.

Add my support as well.

While I get wfasa’s point about newbies needing some clear explanations/instructions on the error pages, that seems like a bit of a weak argument. Anybody going into advanced settings to customise these messages isn’t a n00b who needs to be told what a 503 means.

It seems the copy of the error page is designed more as PR for Wordfence. That is fair enough – it is a free program after all – but let’s be honest about the reason for the current copy.

Apart from giving the hacker (or bot in most cases, but NOT ALL cases) too much information, this copy is also too long. On my site it’s being loaded hundreds of times a day – or thousands of times. More importantly, though, the copy is telling even the humans who hit that page to try again in a few minutes. What do you think they’ll do? They’ll try again. Why? You’ve given me, the webmaster, the option of blocking them for the whole day, whole week or whole month. Why ask him to try again in a few minutes? It just doesn’t make sense.

Can we please have control over the error messages without having to fiddle around with changing files manually after each update? That would be most appreciated. Thanks.

@wfasa

Thank you for response.

Given that your response essentially just validates your current implementation, it seems rather clear that you will not be implementing this request.

So, I have a new simple proposal:

Can we have a special message for “manually” and “firewall” blocked IPs?

Right now these “known bad IPs” see the same “overly friendly, thank you please hack again” message that are intended for users.

Please let me know you thoughts on that.

FYI – I’ll also admit that mentioning “Wordfense” in the block pages isn’t that big of a deal, and it is somewhat of an industry-wide practice.

@wfasa @wfphil

I need to correct your comparison of my request to “security by obscurity”, and suggesting I read up on it. I’d be insulted if it wasn’t such a laughable comparison.

You stated – Trying to hide is not a reliable security principle. For more on that see the concept of “security through obscurity“.

Let’s define exactly what security through obscurity is:

• Security through obscurity is a reliance on secrecy of the design or implementation as the main method of providing security for a system.
• The basic fact that I use the paid version of your product clearly demonstrates that there is no reliance on secrecy.

There’s a big difference between the “desire for as much secrecy as possible”, and “using secrecy as the primary method of providing security”.

Since you suggested some research for me, let me return the favor: NIST 800-123: Guide to General Server Security

Section 5-1:

• “Remove all manufacturers’ documentation from the server.”
• “For external-facing servers, reconfigure service banners not to report the server and OS type and version, if possible.”
• “While this will not stop determined attackers, it will force them to work harder to compromise the server, and it also increases the likelihood of attack detection because of the failed attempts”

The last point – is exactly why I’m trying to accomplish; make the attackers work harder.

• Why give them everything up front because “the might obtain it anyway?”
• No it will not stop them all, but it might deter some.
• Yes, there are many bots. but, they’re not all bots. And even bots collect and store returned results.

• This reply was modified 7 years, 6 months ago by azrobbo. Reason: The lack of md support here is annoying
• This reply was modified 7 years, 6 months ago by azrobbo. Reason: More MD cleanup

@azrobbo, well put!

+1 Vote to customize the block message. The Block message, when I’ve blocked an IP permanently, is WAY too chatty and discloses way too much. Considering I am seeing this for IPs that I intentionally blocked, I see the use of a customized message.

I’m going to block at the server level because I just can’t disclose so much in my case.

But this would be a welcome addition to WordFence.

Count my vote in please.