Using SSL for login and wp-admin breaks Wordfence

  • Resolved Pepz345

    (@pepz345)


    9 years, 5 months ago

    Hello, I have just installed Wordfence and I love it – the file compare and the alerts are great, I am seriously considering upgrading to a paid licence.
    However, I have run into a problem: Getting more security-conscious in recent times, I have set WordPress (4.0) to force SSL logins and SSL backend by adding a line to wp-config.php, as described in the WordPress codex:

    define(‘FORCE_SSL_ADMIN’, true);

    What happens now is that altough Wordfence basically works, all pages created by it are blank (404). This is extremely annoing because it means that the following is not usable:
    – compare changed files
    – view system specs reports by Wordfence
    etc.

    The reason is that Wordfence uses a non-SSL adress for these pages, and the Force SSL constant doesnt allow that for the backend, as far as I know.

    What can be done about this? Secure login via SSL is important for me, and now it seems as if I have to choose: SSL login OR Wordfence, not both.

    https://wordpress.org/plugins/wordfence/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter Pepz345

    (@pepz345)

    9 years, 5 months ago

    Well, what about SSL? Having a security plugin is all nice and well, but if an attacker gets your username and password by listening in on an unencrypted transmission, he can then login as the administrator – and the first thing he might do is to TURN OFF Wordfence and change the password. And thats the end of all Wordfence protection.

    Plugin Author Wordfence Security

    (@mmaunder)

    9 years, 5 months ago

    How do you know Wordfence is causing this problem?

    Do you have Falcon Cache enabled?

    Regards,

    Mark.

    Thread Starter Pepz345

    (@pepz345)

    9 years, 5 months ago

    I found out the problem: the plugin PaidMembershipsPro is the cause (it applies its own logic to force pages to be SSL or not, and in the case of Wordfence reports and some other things PMPro gets it wrong). Only noticed it now.

    The solution is to either switch off the forced SSL within PMPro (you then have to set their register pages etc. to SSL manually) or to switch PMPro over to “Force SSL (use javascript)” – that seems to be compatible with Wordfence.

    WFSupport

    (@wfsupport)

    9 years, 5 months ago

    @pepz Adding this to our documentation at docs.wordfence.com. Thanks for reporting back. You probably helped someone else who might be struggling with the same issues. 🙂

    tim

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Using SSL for login and wp-admin breaks Wordfence’ is closed to new replies.