Wordfence blocks, password reset email from Login/Signup (if user NOT exists)

  • Resolved Rodrigo

    (@calvinyhobbes)


    1 year, 2 months ago

    (I’m sorry I might repeat this topic, but I couldn’t find the previous one)

    Hello;

    By deactivating plugins, I determined that Wordfence Defender, version 7.10.4 prevents the sending of the password reset email, from the Login/Signup Popup plugin, version 2.5, leaving an eternal loop. (this happens when the user/email does NOT exist).

    What is expected is that it could:

    1) The message “Invalid user or email” appears

    2) And only if possible, in case of “n” failed attempts, block the IP for example.Is there a way to parameterize this in Wordfence?

    Thank you

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hello @calvinyhobbes , thank you for reaching out.

    It may be useful to enable learning mode, from the Wordfence Dashboard click on Manage WAF. Then you will see Basic Firewall Options > Web Application Firewall Status. Change the option to Learning Mode. Now perform the actions that were causing issues. This will help Wordfence learn that these actions are normal and it will allow them in the future. After you have finished performing the actions, switch the WAF from Learning Mode back to Enabled and Protecting. Now test to see if these actions work correctly.

    https://www.wordfence.com/help/firewall/learning-mode/ is an amazing resource for learning more about the WAF and learning mode.

    As for parameterizing the Brute Force protection, you can navigate to Wordfence > Firewall > Manage WAF > Brute Force Protection to change the number of failed attempts required as well as the timeout period.

    https://www.wordfence.com/help/firewall/brute-force/

    Hope this helps,

    Christian

    Thread Starter Rodrigo

    (@calvinyhobbes)

    Thanks @wfchristian!

    The problem is that Learning Mode is active. Because I uninstalled/installed Wordfence again.

    What I did was:

    1) Disable the additional option “Don’t let WordPress reveal valid users in login errors” from Wordfence. From what I saw, Wordfence recommends having this option active, so as not to reveal existing users, and thus avoid attacks on them (https://www.wordfence.com/help/firewall/brute-force/?utm_source=plugin&utm_medium=pluginUI&utm_campaign=docsIcon#hide-valid-users).

    2) I changed the “Lock out after how many forgot password attempts” option to 4 attempts. I do not know, at this time, if Wordfence hides or invalidates the remember password form.

    Anything else could I do?

    Anyway, if you consider that the strategy I used is correct, please indicate so, to close the case and so that other Wordfence users can use the described workaround.

    Thanks

    Rodrigo

    Hello @calvinyhobbes , glad I could help.

    I would not recommend the disabling of the Don’t let WordPress reveal valid users in login errors setting as it is important in keeping your site secure. 

    Wordfence will not invalidate or hide the remember password form. The amount of attempts you set it to is a good number and I would recommend double checking the timeout period to ensure it is set to a long enough duration.

    There is not much else you can do other than to make sure that the Web Application Firewall Status is set to Enabled and Protecting.

    Glad I could help,

    Christian

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Wordfence blocks, password reset email from Login/Signup (if user NOT exists)’ is closed to new replies.

Tags