Support » Plugin: WP fail2ban » BLOCK_USER_ENUMERATION results in Forbidden

  • Resolved fuchsws

    (@fuchsws)


    Since recently (maybe a few weeks) the config “WP_FAIL2BAN_BLOCK_USER_ENUMERATION = true” results in authors are not being able to edit their posts anymore! They simply get the WP message “Forbidden” and after a few reloads are being blocked by fail2ban.

    Disabling WP_FAIL2BAN_BLOCK_USER_ENUMERATION fixes the problem. Can you repeat this issue?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author invisnet

    (@invisnet)

    That’s not really enough information to work out what’s going on (PHP version, WP version, etc), so I’m going to guess: are you using Gutenberg?

    Sorry about the lack of details, here you go: WP 5.2.2, Gutenberg disabled.

    This happens to users with the role “editor” when visiting /wp-admin/edit.php (any post type). They need to be actually authors of something, then they get simply “Forbidden”.

    Disabling WP_FAIL2BAN_BLOCK_USER_ENUMERATION fixes the problem.

    As I am having this on multiple sites I thought it might be a known issue. If not and you can not repeat this behaviour I will debug by disabling all plugins. No worries – just trying to figure what is going on 🙂

    Plugin Author invisnet

    (@invisnet)

    OK, that’s not something I can reproduce on a plain install; however, I can think of a way it’s causing a problem – I’ll fix that in 4.2.5.

    It would be good to know which plugin is running into this issue so I can add it to my test suite.

    Plugin Author invisnet

    (@invisnet)

    I released 4.2.5 yesterday and I expect it to fix your problem. Could you give it a try and let me know how you get on?

    thank you – yes it looks like this fixed the problem!
    my editors can edit now again without the “Forbidden” message. perfect!

    Mr-Manor

    (@mr-manor)

    Hi, I just been noticed by one of my users – that he gets blocked when he tries to publish.
    I have verified that my fail2ban is newest free version and I have placed fresh copies of wordpress-extra.conf wordpress-hard.conf and wordpress-soft.conf in /etc/fail2ban/filter.d/ (date 2 oct). Lastly I have reloaded fail2ban.

    Still my user gets banned. Did I forget something?

    ebbe has role “Editor” and uses Chrome on a Windows10
    In log I see:

    2019-11-26T18:46:42+01:00 apasrv wp(vand.ugerloese.dk)[26135]: Accepted password for ebbe from 5.103.202.NNN
    2019-11-26T18:47:38+01:00 apasrv wp(vand.ugerloese.dk)[25309]: Blocked user enumeration attempt from 5.103.202.NNN
    
Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.