Support » Plugin: Wordfence Security - Firewall, Malware Scan, and Login Security » WordFence 2FA requires unsafe-inline permission in CSP

  • Resolved kcoriell

    (@kcoriell)


    I see there was a previous post similar to this issue opened two years ago and the latest post to that issue was 11 months ago, but that post has since been closed and it does not seem like the issue has been resolved.

    WordFence 2FA (Two Factor Authentication) requires “unsafe-inline” permission in the “script-src-elem” of a content security policy header for it to work. Seems to open a hole in your defense when trying to tighten up a different hole by turning on 2FA.

    When ‘unsafe-inline’ is removed from the following section of a CSP: “script-src-elem ‘self’ ‘unsafe-inline’;” The 2FA via WordFence stops working and you cannot log into your site. You can enter your username and password, but when you hit “Log In” it just sits there on the same page, therefore you are locked out of your site, until you re-add ‘unsafe-inline’ to that section of your CSP.

Viewing 1 replies (of 1 total)
  • Plugin Support wfphil

    (@wfphil)

    Hi @kcoriell,

    Even WordPress itself will malfunction if you remove unsafe-inline from your CSP (Content Security Policy). We do not recommend using a CSP for a WordPress website as it has the potential to break too many things in WordPress, your theme and plugins.

Viewing 1 replies (of 1 total)
  • The topic ‘WordFence 2FA requires unsafe-inline permission in CSP’ is closed to new replies.