wordfence 7.8.0 locked me out of my site

  • Resolved ellienowels2

    (@ellienowels2)


    1 year, 11 months ago

    Wordfence automatically updated yesterday to 7.8.0. Today I tried to log into my site after seeing multiple attempts to log into my site with an invalid user name. But Wordfence tagged my own user name as invalid and locked me out. I get a message that I will get an email with instructions on getting back in but that never arrives. I had to go into my file manager and deactivate wordfence and now I can log in. How can I keep this from happening?

Viewing 3 replies - 1 through 3 (of 3 total)

  • I’ve been getting this for a couple of weeks so before the update. Now people visiting my site, mostly from facebook links, are reporting the same issue. I’ve deactivated Wordfence until this is fixed

    I have the same issue !

    Plugin Support wfpeter

    (@wfpeter)

    Hi @ellienowels2, thanks for reaching out!

    If you are not receiving emails, the unlock emails actually come from your website and not our servers. You might want to check:

    • The emails (they come from [email protected]) are getting sent to your junk mail folder by your email client or provider. Make sure and whitelist or add your website to the list of safe domains so you get emails consistently.
    • Your web server is having a problem with the email software on it. This isn’t like regular emails you send and receive, but rather server alert messages. Usually, a restart of postfix or sendmail (whichever is installed) can fix it. Your hosting provider may need to help with this.
    • Your hosting provider has disabled SMTP from the server for some reason like preventing the server from being used to spam people.
    • You have a third party plugin for sending emails with another service, like Gmail, which isn’t working. Reaching out to the plugin author for support can help.

    For the benefit of the other people experiencing this issue (but I know you’ve already done this), renaming your “wordfence” plugin folder to something like “wordfence.bak”, logging in, then reverting the name back is a way to gain immediate access.

    In relation to the original issue, it seems odd that your username would be flagged as invalid. Even if you have Wordfence > All Options > Brute Force Protection > Immediately lock out invalid usernames or have specified a username under “Immediately block the IP of users who try to sign in as these usernames” set, valid usernames that appear in your users list would be ignored under both circumstances. Sometimes the first setting can pose problems on sites with a large number of users though, so we recommend this to be turned off in many cases.

    Are there any Login Security features you’re using such as 2FA or reCAPTCHA that would also be expected on the login page that weren’t showing, or might’ve been factors in why you were locked out? If you received any specific error messages on the login screen or during the process, those would be helpful pasted here if you can recreate them.

    Once you were back in your site, did you see in Live Traffic a reason given as to why your user was blocked? After clicking an entry in the table to expand it, red text should explain which rule or setting was violated in Wordfence’s opinion. This and/or the error you saw at the time could be the key to stop it reoccurring.

    Thanks,

    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘wordfence 7.8.0 locked me out of my site’ is closed to new replies.