Are you having conflicts with Wordfence and modsecurity running together. If not, it shouldn’t hurt to have them both running.
Chiming in here … my client is running a site that is only accessible by users logging in to their WordPress accounts. Both WordFence and mod_security are running. This morning users saw this message for about 30 minutes:
“WordPress Login Temporarily Disabled
“We apologize for the inconvenience! You are seeing this message because your site has recently been targeted by attackers attempting to gain access to your WordPress Dashboard. In order to protect your site your WordPress Login page has been temporarily disabled.
“Unfortunately, you will be unable to login to the Dashboard until the block expires.”
I’d prefer to depend on WordFence for protecting against brute force logins, rather than mod_security, so that users aren’t locked out this way. (Also, it wouldn’t be practical at this point to obscure the login URL.) Would I be putting the server at greater risk by turning off mod_security?
Thanks for a great plugin!
Wordfence and mod_security both do some things that the other does not, so you may lose some protection by turning off mod_security entirely, though a lot of hosts don’t have it at all.
Your host may be able to help you find and disable just that one mod_security rule for your site, if they have mod_security set up in a way that lets you disable single rules.
-Matt R
Splendid. Thanks for the quick reply.
