Wordfence brute force protection problem

  • Hi, we have a problem with Wordfence brute force protection not blocking failed logins when wpDirAuth is used. The combination worked on one site, on the other it started to work when I changed ‘Enable SSL Connectivity’ to ‘Use TLS’ in wpDirAuth settings. On the third site (most vital site) that did not fix the problem. The problem is exactly the same as here. Could you come up with a quick fix for the problem, otherwise we may be forced to change the this otherwise good ldap plugin to an other one.
    -VeM-

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter vemi2709

    (@vemi2709)

    One setting can fix the problem (though we cannot use it in our production), I changed the setting ‘Automatically Register Authenticated Users’ from Yes to No. -VeM-

    Plugin Author Paul Gilzow

    (@gilzow)

    Unfortunately, this is a known issue with WordFence. I’ve tried to get them to correct their hook to authenticate but they have yet to update their code.

    Plugin Author Paul Gilzow

    (@gilzow)

    Try this, at line 544, and line 1455 in wpDirAuth.php, change could_not_authenticate (544) and failed_login (1455) to authentication_failed and see if WordFence starts behaving properly.

    Thread Starter vemi2709

    (@vemi2709)

    No luck.

    Thread Starter vemi2709

    (@vemi2709)

    I seem to have found a solution, I added an authentication filter at line 1403:
    if($boolRestoreBlog) restore_current_blog();
    add_filter(‘authenticate’,’wp_authenticate_username_password’,20,3);
    return $userData;
    At least now everything seems to work ok also when ‘Automatically Register Authenticated Users?’ is set to Yes.
    I hope there are no security flaws I have made by doing this? 8) …

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Wordfence brute force protection problem’ is closed to new replies.