2FA will not allow Zapier Authentication

Hi @susansoaps, thanks for reaching out to us.

We have had issues similar to this in the past where 2FA was an issue for Zapier users, but this was before WordPress introduced their application passwords feature so was restricted when logging in using your regular username and password.

Just to confirm the steps you have already taken to help with my understanding, did you:

1. Use your application password in the password field for your associated account: https://docs.om4.io/woocommerce-zapier/troubleshooting/
2. Identify any blocked Zapier API requests in Wordfence > Live Traffic? Logging mode may need to be set to ALL TRAFFIC here. If you try see them, you can click the “ADD PARAM TO FIREWALL ALLOWLIST” button to easily allow the endpoint without manual input (https://docs.om4.io/woocommerce-zapier/plugin-compatibility/#security-plugins)

Let me know how you get on!

Thanks,

Peter.

Thanks for your response.

To clarify:

1. Yes, I did use the application password in the password field when trying to set up my zap.

2. I do see the times I tried to authenticate in my Live Traffic. It is giving me a response code of 200 but I don’t see the “ADD PARAM TO FIREWALL ALLOWLIST” button that you mention.

Regards,

Susan

Hi @susansoaps,

My apologies, I should’ve clarified that the Live Traffic entries need to be expanded using the ‘eye’ icon to get the additional buttons. I’m running Wordfence free on my site so shouldn’t have any features that are unavailable to you.

Thanks,

Peter.

Hi Peter,

Thanks for your reply and no apologies needed as I did expand but still no “ADD PARAM TO FIREWALL ALLOWLIST” button. I just have the “Block IP”, “WHOIS” and “See Recent Traffic” buttons.

FYI — It shows as a failed login, not a Firewall Block.
Ashburn, Virginia, United States attempted a failed login

It has my username correct and I am using the Application Password as noted. I even revoked the original Application Password and created a new one to make sure all was good. I have tried it with and without the spaces in the password.

I took a screen shot to show but don’t see a way to add an attachment.

I must be missing something somewhere.

I hope you can help me figure this out.

Susan

I am having the exact same issue and can’t seem to solve it.
I also am having the login issue and not a firewall issue.
There is no button for “ADD PARAM TO FIREWALL ALLOWLIST”

Zapier/ WooCommerce suggest to whitelist the api endpoints.
I just don’t know how to add them under Allowlisted URLs.

Note: That whitelisting the IP won’t work as the IPs will change and vary since Zapier is hosted on AWS and use different servers/ IPs can easily change in the future.

Link for API Endpoints:
https://docs.om4.io/woocommerce-zapier/developer-documentation/#api-endpoints

You can also find some info helpful here:
https://docs.om4.io/woocommerce-zapier/troubleshooting/

However, it does not solve this issue. We need to know how to whitelist the urls or this request to get passed the Brute Force Protection..

I am using an app password too. I attempted with another account without 2FA, with the account password and also with an app password – no luck.

Note: I disabled Wordfence and tested Zapier to WooCommerce and it works. So the issue here is Wordfence blocking the connection.

Screenshot:
https://paste.pics/0c4514b7810969ea95f544ce8f3bac83

• This reply was modified 3 years, 4 months ago by Ty. Reason: grammmmmmmr

Hello again Peter or someone from Wordfence,

I am sure there must be some fix for this as there are too many people using the combination of Wordfence, WooCommerce and Zapier for there not to be. Obviously, I am not the only one experiencing problbems as @tyranthacker has been experiencing the same issue.

His experience is that it doesn’t even work with 2FA disabled but does work with Wordfence disabled.

Can you please suggest a way forward so that we can continue to use your plugin in conjunction with Woocommerce and Zapier?

Thanks!

Susan

Hi @susansoaps,

I am currently working with our development team to find a solution to allowing the API to access your site as it’s being picked up as attempted login traffic rather than an allowable firewall rule. I wouldn’t normally report back until I had something, but I want you to know I’m expecting something to report back to you ASAP.

I’ll update this ticket when I have further information.

Thanks,

Peter.

Hi @susansoaps,

Our developers have done some digging and it’s a third-party developer that creates this plugin to support through WooCommerce. WooCommerce support sent our email detailing the issues you’re having to the developer. They sent some details about the auth method and a copy of the plugin so that we can work with them to improve the compatibility.

We should be able to work it out with them, but I can’t comment on the forums about a precise delivery date as code will need to be approved and tested between our team and theirs.

Thanks again,

Peter.

Peter thanks for the help, will be on standby for the update! Understood!

I too have struggled for days to make Wordfence allow Zapier to access. It’s only trying to check for new blog posts!! I have uninstalled WF until this is resolved. Am currently having better luck with Cerber.

Hi everyone,

We are the WooCommerce Zapier developers, and we are continuing to work with Wordfence to come up with a solution that allows Wordfence and WC Zapier users to use Wordfence’s 2FA with WooCommerce Zapier.

In the interim, the simplest workaround is to:

1. Go to https://yourdomain.com/wp-admin/users.php, and create a new administrator account that will only be used to authenticate WooCommerce Zapier. Set it up with a very very strong complex password. Don’t enable 2FA for that account.
2. Log in as that user via https://yourdomain.com/wp-login.php, then go to https://yourdomain.com/wp-admin/profile.php and add a new application password for that account.
3. Go to https://zapier.com/app/connections/woocommerce and add a new connection, and authenticate WooCommerce Zapier using the username you used in step 1, plus the application password you used in step 2.
4. WooCommerce Zapier should then be authenticated using that dedicated user account. You can continue logging into your site using your login plus 2FA authentication.

Thank you for your continued patience,

James
OM4 Software

Hi James,

This doesn’t work. According to the logs, ‘some’ AWS connections log in as an authorised local user, and some AWS connections try to access info as something else, when those ones are blocked, the Zaps fail:-

/wp-json/wp/v2/posts?per_page=100&status=publish
GETREST API HTTP 403 Forbidden171 ms Details

184.73.141.81
ec2-184-73-141-81.compute-1.amazonaws.com	Unknown	
User Agent

Zapier

James Collins,

I have outlined that creating an account without 2FA does not work. What does work is disabling Wordfence or not using Zapier.

Thanks @jamescollins for the information and helping out.

I don’t mean to inadvertently draft you in for support but I was wondering if you had any further ideas on the cases above where the interim steps may not have had the desired effect?

Thanks,

Peter.