Bruteforce protection does not block the entire website for visitors

  • Resolved Saurabh

    (@wpsaurabh)


    1 year, 8 months ago

    Installed free version to test Wordfence since I want to test certain features before buying and noticed issues :

    1. I tested bruteforce protection for invalid login attempts and set the countdown to 3. So after 3 invalid login attempts entire website should be blocked for that visitor for set amount of time.In my testing, it just blocks the login url and shows error page 503 one , I as visitor does not block entire access to website which I want when invalid login attempts are made. Other plugins works fine and blocks entire website for that user and displays restricted page entire amount of block time set. Please tell me how to block the enitre website when such conditions are met.
    2. Does your plugin interfere with litespeed cache plugin. If plugin enabled, will it still work or display the cache version of website which I don’t want. Mention way to fix this.
Viewing 4 replies - 1 through 4 (of 4 total)
  • dimal

    (@dimalifragis)

    1 year, 8 months ago

    @wpsaurabh Hi,

    The brute-force protection is for login related pages, so why block the entire site?

    Litespeed caching (and any caching) could have issues with Wordfence. Litespeed uses mod_rewrite to serve the cached page, so the page is SERVED before Wordfence firewall (even in optimized/prepend mode). Because mod_rewrite has a higher priority in .htaccess.

    A side effect of that is that Rate Limit doesn’t work right or at all. Not sure about other functions …

    • This reply was modified 1 year, 8 months ago by dimal.
    Thread Starter Saurabh

    (@wpsaurabh)

    1 year, 8 months ago

    I know what you are trying to say, but after failed login attempts its better to lockout entire website for that visitor. Also, it seems that the lockout error is displayed only on wordpress login page, it does not work with custom registration plugins ( I have tried with both litespeed cache plugin enabled and disabled). Even if I ignore that bruteforce lockout will work on login pages it is restricted to just wordpress which is concerning.

    And as far as litespeed cache is concerned there are security plugins which works without any issue with cache enabled.

    dimal

    (@dimalifragis)

    1 year, 8 months ago

    @wpsaurabh For the security plugins, pls try to understand what i wrote.

    PAGE Caching and Security plugins are a risk. And i wrote why. Better use object caching that have shown no issues.

    Plugin Support wfphil

    (@wfphil)

    1 year, 8 months ago

    Hi @wpsaurabh

    The blocking for a brute force login attack applies to the login page only.

    If you are using LiteSpeed page caching then that can prevent our plugin from working fully. If the web server is serving cached static HTML copies of public facing site pages at times without the need for PHP to be processed then Wordfence won’t be loaded and cannot carry out certain blocking. Caching should only affect legitimate public facing page URL’s because there is no malicious activity when an IP address sends requests for public facing legitimate page URL’s. All other Wordfence protection should work for any malicious requests sent to the website as that would require PHP and Wordfence to be loaded.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Bruteforce protection does not block the entire website for visitors’ is closed to new replies.