Users Cannot Get In

I just had a similar problem, noone could log in – luckily enough I was still loggen in as admin. I deactivated 2FA (was only required for admin) and then the problem was solved. But now the security for admin is lower. ??

All 2FA was deactivated on my website anyway.

I’ve gone with Sucuri until the issue gets fixed.

I really cannot see how the sucuri plugin gets so much good press – it’s horrible to work with.

Reactivated Wordfence, but on a rollback to version 7.5.9 -the last version that I know was working properly.

Hi @deeveearr, thanks for reaching out to us.

Even though you mention that 2FA is disabled, is Wordfence’s reCAPTCHA enabled on your site? It might be best if you send a site diagnostic, as it’s my belief that “Security check failed” is a string of text that appears with another password protection or user management plugin rather than in Wordfence itself.

Can you send the diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

Thanks,

Peter.

Hi @wfpeter

Ok, so here’s what I did:

First, I re-installed the latest version of Wordfence (7.5.11)

Next I ran a scan, which mentioned the following:

[JUN 23 18:42:15] Notice: Trying to get property ‘id’ of non-object in /home/midland6/secretclassifieds.com/wp-content/plugins/user-last-login/user-last-login.php on line 147 0

So I disabled the ‘User Last Login’ plugin and ran another scan to make sure that the error had disappeared – which it did.

Both of the above scans finished rather quickly compared to my other websites.

Next I sent the diagnostic report over to wordfence.

Finally, I rolled Wordfence back to version 7.5.9.

Awaiting further communications on this issue.

Just a quick thought – is it possible to completely disable 2FA?

It seems that there is a ’10 day period of grace’ inside the logon security settings, which would tie in with the 7.5.11 issue.

Hi @deeveearr,

2FA is completely disabled if nobody has scanned the QR code and confirmed the output from an authenticator application to enable it. The grace period mentioned applies only when 2FA is enabled and one of the user roles is set to “required”. This gives time for users in that role to comply with 2FA before they are locked out.

Wordfence 2FA and reCAPTCHA only works with default WordPress and WooCommerce login/registration pages, so problems with authentication could arise if either of these features are enabled and custom login forms, or the default pages are hidden by a plugin in some way. You could try disabling any functionality to do this and see if the authentication problems subside. For example, if reCAPTCHA doesn’t receive the code it was expecting in a format/field it was expecting, I have seen these problems come up.

Thanks again,

Peter.

Hi @wfpeter

There are no recaptchas anywhere on the website, so that’s that issue sorted.

Why is is that Wordfence 7.5.9 works perfectly, and there have been no complaints from my advertisers and the adverts have been piling up as usual, but no-one can get into the website if Wordfence 7.5.11 is activated?

Hi @deeveearr,

We have another plugin release expected for release tomorrow that is version 7.6.0. I have been through notes for versions between 7.5.9 and the current release but haven’t seen repeat behavior across my own test sites or our rather sizeable customer-base where users can’t gain access any more between these versions with no changes to configuration.

You could certainly try the latest release when it launches to see if it helps, or disabling all plugins and reverting to a default theme. If WordPress logs you in as expected with Wordfence as the only active plugin, re-enable your plugins and theme one-by-one until the failure behavior starts up again. A conflict may have been introduced between Wordfence and something else inadvertently that wasn’t showing up before.

Thanks again,

Peter.

Thanks @wfpeter I’ll look forward to the new version and see if that works.

It’s really tricky to disable all plugins to see if a security feature works, as it cannot be tested until a new user arrives.