• Resolved mountainguy2

    (@mountainguy2)


    When a lockout or block happens, the standard Wordfence message is displayed, any way to customize this message or even change to an error 404 or something? I would prefer it said nothing, rather than informing the blocked hacker that I am using WordPress and Wordfence. Thanks for any ideas, MTN

    https://www.ads-software.com/plugins/wordfence/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author WFMattR

    (@wfmattr)

    Hi MTN,

    Currently there is not a way to customize the lockout message without editing the plugin files, but it is a feature request we’ve had before (reference number FB521), and we will likely be implementing it in the near future. Thanks for the input!

    -Matt R

    Thread Starter mountainguy2

    (@mountainguy2)

    Thanks Matt, just so I don’t have to search, which plugin file generates the html for that page?

    Glad to hear it’s already a feature request. Lots of smart people here on the WordFence forum, respect.

    Surprising you would supply a block message with so much information. That seems contrary to basic security standards.

    Thanks, MTN

    Plugin Author WFMattR

    (@wfmattr)

    Hi,

    The message text for blocking is in lib/wf503.php, and the unlock message included there is lib/wfUnlockMsg.php. The message for lockouts is in lib/wfLockedOut.php.

    The details on these pages are mainly because a lot of WordPress users don’t have a technical background, and some sites may have users who the owner doesn’t know personally (forum sites, for example) — so if their settings are too strict and they block themselves or other valid users, it gives them details they would need to fix it. (Or for the other users to tell to the site owner, in the latter case.)

    Thanks again for the input!

    -Matt R

    I just discovered this thread, and I’m glad to know I”m not alone in needing something more than the built in lockout messages.

    For those of us who need more secure lockout/blocked messages, I’ve placed the files I use on a Public GitHub Gist

    Since Wordfence is first and foremost a security product, I’m in disappointed that there still isn’t an option to provide “lockout messages” that adhere to standard security guidelines.

    The built-in messages break many security principals; In short, they give the attacker way too much information:
    – They tell the attacker why they can’t access the site
    – Both the login-lockout and blocked messages state they are “temporary” and state to either “try again in a few minutes” or “try back in a short while” (despite the fact that the IP might be perma-banned)
    – They tell the hacker exactly what utility/firewall blocked them, and even include a helpful link to the docs and homepage for said product

    I hope this helps some others & please add an option like this into the product (I have a paid licensed version.)

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Blocked Message from WF — Any Way to Customize?’ is closed to new replies.