Wordfence Lockout Email Issues

  • Resolved tanaynandi87

    (@tanaynandi87)


    6 months, 3 weeks ago

    So i have been using wordfence for a while now. It usually works just fine, except for these two issues that i have. Once a user is locked out, the lockout message from wordfence is displayed (in my case, for 4 hours). There is also a send unlock email option. This is where i have an issue.

    1. Whenever i type in any email address, the unlock email never arrives. I get all other mails coming out of wordfence, just these unlock email never arrives. I checked my SMTP plugin email logs and it turns out these emails are not even being generated.
    2. Second issue that I have with this is the text field where one is supposed to type in the email address, access all kinds of text strings, not just the normal email string. Forexample, if i enter “acb@gmailcom” or “abcgmail.com” or “abc@@gmail@com” or “12345678”, it still says that the unlock email has been sent. This was redflagged by my company’s penetration testing team.

    Any help wordfence??

    Viewing 2 replies - 1 through 2 (of 2 total)
    • Plugin Support wfmargaret

      (@wfmargaret)

      Hi @tanaynandi87,

      Wordfence sends all emails using the WordPress built-in mail function wp_mail.  Double-check that the email being used to request the unlock emails matches what’s saved in the database, and if you’re still having issues getting those to send, please send a diagnostic report to wftest @ wordfence . com. You can find the link to do so at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

      NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

      I’ve also reached out to our QA team regarding the concerns of your penetration testing team.  I’m awaiting further information and will update you with that as I have that available.

      Thanks,
      Margaret

      Plugin Support wfmargaret

      (@wfmargaret)

      Hi @tanaynandi87,

      In regards to the concerns of your penetration testing team, the request received message after submitting an unlock request on the unlock page intentionally displays the same message whether or not the email address exists and whether or not a valid email address is even submitted. This is to make it more difficult for attackers to determine valid email addresses on the site by abusing the unlock page. No emails will actually be sent unless the email belongs to an existing account, though.

      Please let us know if you have any other concerns!

      Thanks,
      Margaret

    Viewing 2 replies - 1 through 2 (of 2 total)
    • The topic ‘Wordfence Lockout Email Issues’ is closed to new replies.