• Resolved rahra0

    (@rahra0)


    I run a WP network with Wordfence installed since many years. Several users use 2FA.
    Recently I added a new blog. There’s one administrator having 2FA enabled. I added a second new users and whatever I do, as soon as I assign the administrator role, 2FA gets disabled.
    Interestingly, I can add adminstrators from other blogs within the network which use 2FA.

    What is wrong? Why can’t I add this second administorator? How can I debug this?

    Thanks,
    Bernhard

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter rahra0

    (@rahra0)

    I tried several combinations of adding various user with different user names, email addresses and so and could not really find out in which cases it comes to the conclusion that 2FA is “Not Allowed”.

    I had a look at the code and came to the conclusion the there seems to be a bug in the function _user_can_for_blog() which is called by can_activate_2fa() (in modules/login-security/classes/controller/users.php:164). Unfortunately, I cannot debug it completely since I do not fully understand the complex code dependencies.

    I patched the code to hard-coded return true every time, but obviously that’s not a final solution.

    Is there anybody from Wordfence reading here? Or do the have any contact?

    Best regards,
    Bernhard

    Hey @rahra0,

    My apologies for the delayed response here.

    Are you able to test for a plugin conflict on the blog that’s having the issue?

    Are you using any plugins to adjust user roles?

    Thanks,

    Gerroald

    Thread Starter rahra0

    (@rahra0)

    Hi!

    Thanks for your reply.
    Actually this is a WP multisite installation. I manage the users through the “master” site as supposed, without any special plugin.
    On the master site (where the WP network is configured) there is only the “Wordfence Security” plugin and the “Multisite Enhancements” plugin active. I can deactivate the latter and test if this creates any collision.

    Or do you think it could be from a plugin of a user blog? I have a test blog within this installation. I will again try to use it and test it without any other plugins active.

    Best regards,
    Bernhard

    Hey @rahra0,

    Yes, I was wondering if there are any plugins on the blog that’s having the trouble that might be contributing to this.

    Please let me know.

    Thanks,

    Gerroald

    Thread Starter rahra0

    (@rahra0)

    I could figure out, what exactly happens and could solve the issue.

    Again, the setup is a WP multisite installation. I have one superadmin which is only member of the primary blog which I use solely for administration of the network. In this primary blog no plugin is active except the Wordfence plugin and the Multisite Enhancements which are both network activated.

    I created a testblog and several testusers to find out what is happening.
    Actually the short answer is that the “Settings->Enable 2FA for these roles” caused the issue and that this setting is done separately on each blog.
    I did not expect that at first hand because this options menu is only visible to the superadmin and not the regular administrator. And even for the superadmin the menu is a little bit hidden.

    So what to do:
    1.) Add the superadmin as user to the (each) sub-blog of the WP network.
    2.) Login to the sub-blog with the superadmin and navigate to the “Edit my profile” in the right upper corner.
    3.) Scroll down, somewhere in the middle to “Wordfence Login Security” and click “Activate 2FA”.
    4.) On the newly opened options page click the second tab “Settings” (again, which is only visible to the superadmin) and activate the roles for which you want to enable 2FA.
    5.) Save the settings.
    6.) You can remove the superadmin from the blog as a user again.

    I’d like to point out that if a user has the 2FA-permission in any of the blogs he is allow to use 2FA on all blogs even if the role disallows it (if the user has different roles in different blogs). That actually was causing my confusion.

    Best regards,
    Bernhard

    Hey @rahra0,

    Thanks for sharing this. I am sorry it wasn’t intuitive enough and will speak with the Team about it. Either way, I’m happy to hear you were able to track it down and share this information.

    Please let us know if anything else comes up.

    Thanks,

    Gerroald

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Debugging 2FA’ is closed to new replies.