Enable brute force protection – on/off is too strict !

  • Resolved ELAN42///

    (@nokao)


    6 years, 3 months ago

    Hi !

    This is the description text of that option:
    This option enables all “Brute Force Protection” options, including two-factor authentication, strong password enforcement, and invalid login throttling. You can modify individual options below.

    So basically, as user, I think that if this is OFF I can’t use the option “strong password enforcement”.
    Am I correct ?

    This is bad because I would like to not use “Lock out after how many login failures” and “Lock out after how many forgot password attempts” but still I would like to use “Enforce strong passwords” and all similar “additional options”.

    A good and easy solution for you to fix this, would be to accept “0” as option in the “Lock out after how many login failures” and “Lock out after how many forgot password attempts” selectbox.

    My target/scenario:
    – I’m using fail2ban to ban invalid logins and users, I don’t want Wordfence to do that.
    – But I love Wordfence “additional options” and “password enforcing”, and I still want to use it.
    – Also I want FAST WordPress, so I would like to avoid Wordfence to track / investigate with reverse DNS the incoming IPs.

    Is that all clear ?

    Please correct me if I’m wrong !

Viewing 5 replies - 1 through 5 (of 5 total)

  • Don’t use wordfence. use “Force Strong Passwords” for strong password and do rest of required things with fail2ban.

    Remember their is a lag in fail2ban but wordfence never lags.

    Hi

    If you set “Lock out after how many login failures” to 500 and “Count failures over what time period” to 1 day Wordfence is not very likely to block any brute force attempts. So that should do what you are wanting to do here.

    That said, fail2ban uses access logs to build an IP block list, right? Login requests blocked by Wordfence still shows up in the servers access logs. Perhaps I’m missing something here but if so just let me know!

    Thanks!

    Thread Starter ELAN42///

    (@nokao)

    Hi !

    I know about the 500/1day option,
    but I would like to “turn off” this option to fasten things,
    also because I would like to avoid Wordfence to reverse-DNS or lookup-IP to make my websites fast.

    As @jackarray suggested, I want to use Worfence only for manual scans and password hardening / email when login.
    All the rest, we do with other server-side software, and we want our websites to be fast.

    I suggest you to give the possibility to turn off what you call “firewall” but leaving options inside “firewall page” still usable in next versions.

    Hi @nokao,
    I understand. Thanks for elaborating. I’ve sent on your feature request to the team. Best of luck with your site for now!

    Hi, i am using wordfence and fail2ban and my site is also very fast. Wordfence takes only 100-300 ms. Which is not bad. As your traffic grow then you need all wordfence feature. Our site have 50k user/day with 0.3 million page views. Without wordfence and fail2ban bad bots will take down site in 1 hour.

    Suppose you want to allow only google to unlimited crawl your site and block other bots or limit their page view/minute. You can achieve this easily with wordfence.
    Suppose you want to block all request from certain host name, like: *.amazonaws.com, *.poneytelecom.eu
    You can achieve this easily with wordfence.

    Have you tested your site speed with and without wordfence?

    • This reply was modified 6 years, 3 months ago by jackarray.
Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Enable brute force protection – on/off is too strict !’ is closed to new replies.