Official WordPress App and Wordfence (2FA)

  • Resolved xouix

    (@xouix)


    3 years, 6 months ago

    Hi, I am using the Wordfence Plugin and have 2FA enabled. I would like to use the official WordPress App for iOS/iPadOS. After I figured out that there is no way to generate a “application” password I noticed that I need to insert the 2FA code right after the password. Now I am signed in but i am unable to see any content (posts, comments, …). The firewall seems to block the /xmlrpc.php how can i make it work and still stay safe?

    thanks, markus

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @xouix, thanks for reaching out to us over this.

    To clarify whether XML-RPC is or isn’t blocked, make sure the setting to disable XML-RPC authentication by making sure the “Disable XML-RPC authentication” box in Wordfence > Login Security > Settings isn’t checked. However, manual attempts to access the XML-RPC file itself are commonly tried by attackers so you may have the following code in your .htaccess file:

    # Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

    If those do not apply or have no effect, let me know and I’ll see whether there is a tried & tested way of ensuring WordPress/Wordfence will not block your site content in the app.

    Thanks,

    Peter.

    Welcome,
    I also use wordfence and have enabled 2FA authentication. So far it has worked well, I was able to enter without any problems. Today, after entering the code, it will return the login window. After the recovery code as well. It’s like my username is banned. Unfortunately, I made the mistake of having a single user account, so I can’t log in to my site either. Yes, for cpanel. That, in turn, requires more serious knowledge. Please help someone!
    Regards Correctline

    Thread Starter xouix

    (@xouix)

    @wfpeter thanks for replying. Unfortunately this does not work. I still get “403 Forbidden” (verified by using the Charles Proxy App on my iPhone) after adding the code to the .htaccess. Without the .htaccess modification (“Disable XML-RPC authentication” I get a “503 Service Unavailable”

    @correctline I have had such a behavior after i installed the ?Real Cookie Banner“ plugin which than (content) blocks the captcha. If you still have access to your webspace und can easily deactivate the wordfence plugin by renaming it. After that you can login, create a backup user, … after you did make your changes don’t forget to reactivate your wordfence plugin by renaming it again to the default name

    • This reply was modified 3 years, 5 months ago by xouix.

    Thanks! Complete success!

    Plugin Support wfpeter

    (@wfpeter)

    Hi @xouix,

    We’ve looked into this issue and our 2FA is still not currently compatible with the WordPress 2FA app. There is already a note before you turn it on to choose the “Skipped” option if you use the WordPress app, the Jetpack plugin, or other services that require XML-RPC but wanted to check for you if this was still the case.

    The problem we see is that there’s no “session” in the way the app uses XML-RPC. The app sends the username and password with every request, so after the first request, the 2FA code is no longer valid. A new code would be needed every 30 seconds, which the app does not support.

    We haven’t seen evidence that the WordPress app plans to switch to using application passwords anytime soon, but if they do, that would most likely rectify the authentication issue.

    Thanks again,

    Peter.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Official WordPress App and Wordfence (2FA)’ is closed to new replies.

Tags