Ultimate Member not allowing wp-login.php to function properly with Wordfence

  • UM Support –

    First off, thanks for building a great plugin. We’ve had minimal issues that we’ve been able to work around until recently.

    We’ve had to add Wordfence to a site that utilizes UM. Along with this requirement, we need to implement Wordfence’s cell phone sign-in for administrators.

    What I’ve done so far:
    -Checked UM and Wordfence documentation
    -Checked forums – One post indicated that 2FA will never be added to UM. Another asking about Wordfence compatibility has gone unanswered (post is over 10 months old).
    -Usual Google/SO search

    I changed the setting allowing for the normal wp-login.php page to be accessible. Unfortunately, UM still interferes with the default login page, as access is granted without prompting for the cellphone code (one is also never sent). I deactivated UM and tried the same process and was sent a code and prompted for it as well. This has confirmed that UM is interfering with the normal wp-login.php page.

    Please advise if there is a work around that I’ve missed, settings that I should try, or some other way to stop UM from interfering with the basic login page. I understand why Wordfence’s 2FA may not work with a UM login form, but expected there to be no issue with wp-login.php.

    Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support Ultimate Member Support

    (@ultimatemembersupport)

    Hi @natkinson,

    Can you please update to the latest pre-released version of UM and see if this will resolve the issue?

    https://github.com/ultimatemember/ultimatemember/releases
    https://docs.ultimatemember.com/article/202-updating-the-ultimate-member-with-a-pre-release-version

    Thanks.

    Thread Starter natkinson

    (@natkinson)

    Dear UM Support,

    I tested pre-release version 1.3.84.22 without any change in behavior. Wordfence is still being prevented from prompting an admin for a cellphone code (and one being sent). From the research I’ve done, it looks like this is being caused by a 302 redirect before any other functions can fire off the same hook.

    I’ve started to look into the UM code to see what the culprit may be. It is a requirement that we enable cellphone sign-in. Any other suggestions?

    Thanks

    Thread Starter natkinson

    (@natkinson)

    PS. If there’s no way to get Wordfence’s cellphone sign in to work with UM, are there any plugins that UM is compatible with that provide cellphone sign in or comparable security?

    Thanks!

    Thread Starter natkinson

    (@natkinson)

    I’ve found a very hacky workaround that finally has gotten Wordfence cellphone sign in working. Unfortunately, it’s meant making a few changes to core files, which of course broke the UM login form. We will now be working to replace the UM login with a customized WP login page.

    This of course means I’ll be unable to update UM without making (and testing) the changes again in the future.

    Please realize that security is not only a want but becoming a must for many sites. I love the plugin, but moving forward will not be able to use it for any other sites until this issue has been addressed.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Ultimate Member not allowing wp-login.php to function properly with Wordfence’ is closed to new replies.