Source evidence

Wordfence brute force protection problem

wpDirAuth · support · 2020-03-27T05:26:00+00:00

wpDirAuth plugin evidence original source source API

complaintsentiment

highseverity

1.0relevance

5replies

Evidence linked to opportunitycommercial context

Proof Health

Open evidence

Commercial opportunities need traceable source links before they are treated as build-worthy.

5 / 31 rows with source links

16.1% of this page's analysis has direct source links.

0 build-decision rows missing links

0 rows here require auditable proof before promotion.

26 rows with no attached evidence

0 rows have source counts but still need direct links.

Conversation

support

vemi2709 unresolved

Hi, we have a problem with Wordfence brute force protection not blocking failed logins when wpDirAuth is used. The combination worked on one site, on the other it started to work when I changed ‘Enable SSL Connectivity’ to ‘Use TLS’ in wpDirAuth settings. On the third site (most vital site) that did not fix the problem. The problem is exactly the same as here . Could you come up with a quick fix for the problem, otherwise we may be forced to change the this otherwise good ldap plugin to an other one. -VeM- One setting can fix the problem (though we cannot use it in our production), I changed the setting ‘Automatically Register Authenticated Users’ from Yes to No. -VeM- Unfortunately, this is a known issue with WordFence . I’ve tried to get them to correct their hook to authenticate but they have yet to update their code. Try this, at line 544 , and line 1455 in wpDirAuth.php, change could_not_authenticate (544) and failed_login (1455) to authentication_failed and see if WordFence starts behaving properly. No luck. I seem to have found a solution, I added an authentication filter at line 1403: if($boolRestoreBlog) restore_current_blog(); add_filter(‘authenticate’,’wp_authenticate_username_password’,20,3); return $userData; At least now everything seems to work ok also when ‘Automatically Register Authenticated Users?’ is set to Yes. I hope there are no security flaws I have made by doing this? 8) …

Commercial Context

Opportunity

local listing and directory operations

Directory accuracy workflow for keeping listings, locations, maps, and directory submissions accurate

Buyer: directory owners, local businesses, agencies, and marketplace operators

Wedge: audit directory submissions, map visibility, listing freshness, spam, and local-lead routing

Proof Blocked card complete market

Analysis

heuristic-v1

Summary: Wordfence brute force protection problem: users show security, bugs, compatibility pain that may indicate a product gap.

Evidence quote: The combination worked on one site, on the other it started to work when I changed ‘Enable SSL Connectivity’ to ‘Use TLS’ in wpDirAuth settings.

Affected feature: restore

security bugs compatibility missing feature

Plugin

API

wpDirAuth

600 active installs · 47.7K downloads · rating 94.0

authentication directory ldap ldaps login

Comments

5 shown

vemi2709 2020-03-27T09:48:00+00:00

One setting can fix the problem (though we cannot use it in our production), I changed the setting ‘Automatically Register Authenticated Users’ from Yes to No. -VeM-

Paul Gilzow 2020-03-27T15:35:00+00:00

Unfortunately, this is a known issue with WordFence . I’ve tried to get them to correct their hook to authenticate but they have yet to update their code.

Paul Gilzow 2020-03-27T16:18:00+00:00

Try this, at line 544 , and line 1455 in wpDirAuth.php, change could_not_authenticate (544) and failed_login (1455) to authentication_failed and see if WordFence starts behaving properly.

vemi2709 2020-03-30T04:51:00+00:00

No luck.

vemi2709 2020-03-30T11:34:00+00:00

I seem to have found a solution, I added an authentication filter at line 1403: if($boolRestoreBlog) restore_current_blog(); add_filter(‘authenticate’,’wp_authenticate_username_password’,20,3); return $userData; At least now everything seems to work ok also when ‘Automatically Register Authenticated Users?’ is set to Yes. I hope there are no security flaws I have made by doing this? 8) …