How to disable firewall but keep brute force protection?

  • Resolved adamhideseek

    (@adamhideseek)


    10 months ago

    Disabling the firewall by selecting “disabled” under Web Application Firewall Status does not disable the firewall. Every time I hit the save button, the page refreshes and the firewall is back in Learning Mode with the “automatically enable on” option selected. I have Brute Force Protection enabled so that we can use the “Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps” options, is that causing the conflict? Is there any way to disable the firewall while retaining the author/oEmbed API/REST API/Sitemaps block? I don’t want the firewall enabled in order to avoid conflict with our Akamai WAF, but we absolutely need to block user enumeration and access to /wp-json/wp/v2/users/. Please advise. If brute force protection can only work when the Firewall is enabled, there needs to be some obvious indication; otherwise it is confusing why the plugin allows us to change brute force settings even after firewall is disabled. Thank you!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfmark

    (@wfmark)

    Hi @adamhideseek, thank you for reaching out.

    If you are having technical problems and you cannot set the “Web Application Firewall Status” to “Disabled”, you can instead set a constant. If you have the “Protection Level” set to “Basic WordPress Protection”, you can add this code to your WordPress “wp-config.php” file, just below the line about “WP_DEBUG”. If you have the “Protection Level” set to “Extended Protection”, the code should be added to the “wordfence-waf.php” file, before the line that begins with “if”:

    define('WFWAF_ENABLED', false);

    Thanks,

    Mark.

    Thread Starter adamhideseek

    (@adamhideseek)

    Hi Mark, thank you for responding! Will this also disable Brute Force Protection? We need the option enabled for “Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps”, but don’t want the rest of the Firewall.

    Thanks,

    Adam

    Plugin Support wfmark

    (@wfmark)

    Hi @adamhideseek,

    Brute force protection will remain active but other firewall features will be disabled.

    Let me know if you have any other questions.

    Thanks,

    Mark.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘How to disable firewall but keep brute force protection?’ is closed to new replies.