Regarding internal ticket #fb521 (custom displayed error/block messages)

+1
Customising the blocked message is something really important to me (even if it involves customising php scripts).

Hi @catsfoto1se & @psamathe

That case was resolved with the introduction of the option Custom text shown on block pages found in the Additional Options subsection of the Brute Force Protection section on the All Options page.

@wfphil yes, I’ve seen that function, but I was thinking about more like a total own page, that simply tell them to f*** o**, now it looks so “formal”

Hi @catsfoto1se

That is the only functionality that is available to customize block pages so that you can provide information to site visitors that are blocked by the settings you have configured and they can contact you.

My “visitors” who are blocked are invariably nuisance bots and hackers so I just want to send them a 403 or 503. Hence all I’m after is an option to send a custom page/code. All WF has to do is have an option “Return: Wordfence info page/URL to custom page” and an error code to return (e.g. 403/503/whatever).

Hi @psamathe

As outlined above the only option you have is the option Custom text shown on block pages.

Then maybe take the requests (from several here) as a feature request? Unfortunately the option you provide it not useful. Most blocked “visitors” are nuisance bots who wont read anything – just try again 2 seconds (or less) later, then again 2 seconds of less later, etc.

Hence a minimal 403/503 or whatever is really what is needed.

Hi @psamathe

We have had many feature requests for optimization of block pages and the option that has been added is the result of those feature requests. It is important for site visitors and site owners to know what has blocked them and why they have been blocked so that the site owner can quickly resolve it if they have configured Wordfence options and settings too strictly or incorrectly.

You are telling me how to run my site. Most software providers develop broad functionality to provide for the needs of a range of users rather than tell people how to operate their site. It’s why there are options and settings.

Not impressed that WF does not listen to users but instead tells them how them must run their site.

Hi @psamathe

Your reply doesn’t make any sense to me at all as not once have I told you how to run your website. You are in complete control of the blocking settings that you set and we have no control over your settings at all.

There will always be humans that get blocked intentionally, and sometimes unintentionally because Wordfence users will sometimes set settings too strictly or incorrectly.

Mentioning Wordfence on the block pages makes it easier for site owners to debug false positive blocks. We don’t see any risk in attackers knowing which software they were blocked by because they could figure that out if they actually cared and trying to hide something is not a reliable security principle. For more on that see the concept of security through obscurity.

People manage to lock themselves out sometimes. That’s a much bigger concern to us than an attacker seeing a block page saying that it has been generated by Wordfence. The vast majority of attacks against WordPress sites are bots programmed to run tests on WordPress sites to see if they can login of find an exploitable vulnerability. The bots don’t care why they get blocked, they just automatically move on to the next website until they find one that is vulnerable.

The option that we added to Wordfence allows an administrator to add a personal message in their own language, and can add contact information if they want to.