Jetpack and Wordfence

  • Resolved kjwp7

    (@kjwp7)


    3 years, 1 month ago

    Hello,

    I recently added Wordfence to my website which already had Jetpack. I use 2FA, and I don’t allow other people to login on my website (which serves as a kind of a portfolio).

    I can see in Wordfence that from time to time there are attacks on //xmlrpc.php. What would be the best option? Get rid of Jetpack and disable XML-RPC authentication, or leave it as it is now – with Jetpack but XML-RPC authentication enabled?

    Thanks in advance!

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @kjwp7, thanks for reaching out to us over this.

    If you are using Wordfence 2FA, there is a note before you turn it on to choose the “Skipped” option if you use the WordPress app, the Jetpack plugin, or other services that require XML-RPC.

    The problem we see is that there’s no “session” in the way that Jetpack uses XML-RPC. The username and password is sent with every request, so after the first request, the 2FA code is no longer valid. A new code would be needed every 30 seconds.

    A switch by these apps and plugins to use WordPress’ recently added application passwords would most likely rectify the authentication issue going forward.

    Thanks,

    Peter.

    Thread Starter kjwp7

    (@kjwp7)

    Hello, thanks for your message. I don’t know much about all that stuff, so could you please describe what should I do with the application password to set it up correctly (in this case block xml-rpc attacks)? Should I make any changes in Wordfence/Jetpack settings as well?

    Thanks in advance!

    Plugin Support wfpeter

    (@wfpeter)

    Hi @kjwp7,

    Apologies if I wasn’t 100% clear with my statement there at the end. The application password functionality would have to be implemented by the developers of the plugins and phone apps that currently pose a problem with 2FA. At the moment, the “Skipped” option would still have to be picked.

    Thanks,

    Peter.

    Thread Starter kjwp7

    (@kjwp7)

    Hello,

    I want to make sure if I get it right – I use Wordfence’s 2FA (via Google Authenticator), but only login on the computer, so I don’t use any WordPress apps on phone. For me the 2FA works fine with the option set to “required”. Should I still change it, and will it be safe for the website? On Wordfence’s website it says:
    “This option is set to ‘Required’ by default, to prevent logins without 2FA via xmlrpc.php. Attackers often target xmlrpc.php with password guessing attacks, so it is important to keep this feature enabled if possible.”

    Will Wordfence keep blocking those attacks even if I change the option to “skipped”? Sorry for asking about all those details, but I really don’t know much about it, but at the same time want to keep the site safe.

    Thanks again!

    Plugin Support wfpeter

    (@wfpeter)

    Hi @kjwp7,

    If you choose the “skipped” option, make sure to only pick it if you’re having issues around running Jetpack. “Required” will provide you with the best level of security but it’s not supported by Jetpack so there’s no way around this currently. Wordfence will still monitor your traffic, brute force attempts, known bad user-agents etc. but the only difference would be that 2FA won’t be enforced on XML-RPC authentication attempts.

    Thanks,

    Peter.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Jetpack and Wordfence’ is closed to new replies.

Tags