Basic Auth vs. WordFence

  • Resolved vaniivan

    (@vaniivan)


    3 years, 6 months ago

    I’m using cron curl to call a URL which is using basic auth to impersonate a service admin user which then picks posts and products from WP_REST_Request::from_url.
    The tricky part is that this call requires user permission, and I provide that using basic auth in the curl request.
    Upon enabling WordFence I lost the basic auth login, provided by JSON Basic Authentication plugin, is there a way for these two to coexist?

    • This topic was modified 3 years, 6 months ago by vaniivan.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    3 years, 6 months ago

    Hi @vaniivan,

    Are you seeing blocks reported in Live Traffic when this plugin attempts to auth? Usually, expanding these entries by clicking them will either let you add the requests to Wordfence’s allowlist via a button, or at least explain why they’re being blocked – usually a firewall rule or a custom Brute Force/Rate Limiting setting.

    If you’re unable to find a way around it, also try again while Learning Mode is enabled.

    From the Wordfence Dashboard click on Manage WAF. Then you will see Basic Firewall Options > Web Application Firewall Status. Change the option to Learning Mode. Now perform the actions that were causing issues. This will help Wordfence learn that these actions are normal and it will allow them in the future. After you have finished performing the actions, switch the WAF from Learning Mode back to Enabled and Protecting. Now test to see if these actions work correctly.

    Let me know how that goes,

    Peter.

    Thread Starter vaniivan

    (@vaniivan)

    3 years, 6 months ago

    Hi, thanks for the tips. WordFence in this case reports “attempted a failed login as “username””, even though that same login data (sent as Basic auth header in both cases) is working immediately after disabling WordFence plugin.

    • This reply was modified 3 years, 6 months ago by vaniivan.
    • This reply was modified 3 years, 6 months ago by vaniivan.
    Thread Starter vaniivan

    (@vaniivan)

    3 years, 6 months ago

    It stems from Recaptcha login protection. When I set the Recaptcha to test mode, the basic auth starts working.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Basic Auth vs. WordFence’ is closed to new replies.