dloprodz

Of course this is not the only measure I’m taking to protect my site, it’s just an extra layer of security.

Changing names of cookies is not the only step I’ve taken to hide my WordPress install, this is just one more step in an ongoing process.

I’ve gotten to a point where there are very few traces left to erase.

Is it possible to change the name of the test cookie?

No, I used [text] as a placeholder for what I renamed the cookies to.

My main purpose is to change this:

Set cookie: wordpress_test_cookie=WP+Cookie+check

with the intention of not disclosing WordPress usage just by requesting my login page to an unauthenticated user

• This reply was modified 5 years, 5 months ago by dloprodz.

No official documentation, found it here:

https://wordpress.stackexchange.com/questions/202009/how-to-change-cookie-name

It;s based on this code:

https://developer.www.ads-software.com/reference/functions/wp_cookie_constants/

Is there an official way to do this?

@wfgerald ,

Have you been able to look any further into this issue? New posts on the same subject keep popping up, perhaps is something we are all not seeing, but could really use some help on this. If there are any further tests we should be running please let us know.

Any update on this? Seen more people with the same issue.

@wfgerald:

Yes! There is a match between Settings > General “Universal Time is …” and Wordfence > Login Security “Server Time: “.

I’ve been saying since the beginning that those two match, and that is precisely the root of the problem. “Server Time” should NOT match UTC time, it should match Settings > General “Your local time is…”.

UTC time is just a reference, you need to apply an offset to it depending on the timezone to match each user’s local time. if you always match “Server time” to “UTC time” 2fa authentication will ONLY work for 1/24th of all people using WordPress, or people living in UTC-0 timezone, it makes no sense at all. Anyone outside of a UTC-0 timezone will NOT be able to use your 2fa until you fix this issue.

To clarify:

Settings > General “Your local time is {correct local time}”
Server cli # date
{correct local date/time}
php.ini > date.timezone = {correct local date/time zone}
Time on my phone, running the 2fa app > {correct local time}

Settings > General “Universal time is {UTC time correctly, but definitely not my local time}

Wordfence > Login Security “Server Time: {UTC time, but definitely not my local time}

I hope that with this explanation you now understand our issues, we all live in different timezones, they will NEVER match UTC. Although we all use UTC as a reference to know our exact local time, you need to apply an offset to UTC depending on the timezone otherwise why even set a timezone at all.

• This reply was modified 5 years, 6 months ago by dloprodz.

Update to version 7.3.2 rolled out earlier but still no fix to the server time issue.

• This reply was modified 5 years, 6 months ago by dloprodz.

After all tests ran and seeing everybody is getting the same issue, I’m now almost certain the problem is in the Wordfence code, it must be requesting the server’s UTC time instead of the server’s actual local time.

Please check that on your side as we have tried everything you have suggested on our side.

Thank you.

The timezone is correct on the php.ini file.

Ran this PHP script and it displays my correct local time:

<?php
echo date('Y-m-d G:i:s');
?>

The timezone is displayed correctly on the WordPress > General Settings tab.

The problem resides only on the Wordfence > Login Security tab.

• This reply was modified 5 years, 6 months ago by dloprodz.

The time displayed IS the correct UTC time, but is not my correct local time. My server is set up with UTC-6 time zone, every other source I have checked on my server displays the correct server time of UTC-6, but the Wordfence > Login Security tab displays my server time as UTC-0.

Server Time should NOT arbitrarily == UTC time.

• This reply was modified 5 years, 6 months ago by dloprodz.

Same issue here.

Checked the server time from the shell, checked the PHP.ini time, general settings on WordPress. All say the correct time except for the 2fa activation screen which displays UTC as my server time.