Problem w/ 2-factor authentication

Hi Max,

The deliverability of the emails is really down to your web host.

To better handle emails for your websites, have a read here:
https://www.icontrolwp.com/blog/trouble-free-email-solution-wordpress-mandrillapp/

Take note of the notice at the start of the post where we’ve moved to Mailgun, but the principle is still the same.

If you still have issues, see here:
https://icontrolwp.freshdesk.com/support/solutions/articles/3000000959-i-m-locked-out-of-my-own-site-

Cheers

Hi Paul,

it turned out my server requires an existing mail address since a few days. As soon as I’d registered the mailaddress in question ([email protected]) e-mails were delivered again.

BUT: The plugin won’t send those mails to the blog admin mail address, but to another address which I’ve previously used. General Plugin Options > Report Emails is empty, the line “If this is empty, it will default to the blog admin email address:” is followed by the correct blog admin email address, but mail reports nevertheless go to the address I’ve used previoulsy.

Server mail settings are ok, any mail sent to [email protected] is delivered correctly to the blog admin mail address.

I’ve the identical settings for another site, and here mail reports are correctly sent to the blog admin email address.

How could I force Shield to behave like that on the other site as well?

Thanks
Max

I’ll need to check what exactly is going on there, but for now, you could just manually populate the blog admin email address in there…

I’d already inserted the blog admin email adress in the address field @ General Options Tab, but that didn’t help – Shield keeps sending its reports to the other address, which was in use weeks ago.

Which report/email is this exactly, and where are you inserting the email address? (Just to be sure I’m looking at the right thing)

Shield > Dashboard > General Plugin Options > Report Email: Where to send email reports.

I left this empty first, because I want the plugin to use the blog admin email address. And the line “If this is empty, it will default to the blog admin email address” shows indeed the correct blog admin address.

But emails (Firewall Block Email Alerts, Two-Factor Login Verification) are actually sent to another mail address ([email protected]) which is an address I’ve previoulsy used for this purpose.

When I insert the blog admin email address at the General Plugin Options Tab – nothing changes. Shield is nevertheless using the old address ([email protected]).

Audit Trail Viewer shows that the plugin in fact uses the wrong address and that the mails are not redirected at some other point.

Even stranger: I’ve two sites, both with the same settings regarding Shield and admin address (and its the same address for both sites), and one is working perfectly fine while the other isn’t.

Actually, just as the way the plugin has evolved, there is a separate field for the Firewall. Have a look under the Firewall Response section.
I will probably remove the Firewall email option in an upcoming update…

Regarding two-factor authentication, this behaviour is correct – it should only send email to the email address of the user that is currently logging in. If that email corresponds to the same as the website/blog, then it’s a coincidence. But only the email address of the logging-in user will receive the two-factor email. Hope that makes sense.

Thanks!

But under the Firewall response section it reads: “When a visitor is blocked the firewall will send an email to the configured email address” – so where would that email address be configured? I’ve nowhere in the plugin settings configured an email address, because these emails should be sent to the blog administrator.

Regarding two factor authentication: I am the blog administrator, and I’m in fact the only one who is supposed to log in, so these emails *definitely* should go to the blog administrators email address!

Okay, digging into the code for the Firewall response, I think there’s an improvement we can make there then. The next release I’ll have it honour the Global plugin email address settings better.

Separately, with respect to 2FA. Imagine the scenario on a website which has >1 user. Where should the email be send for 2FA? Are you suggesting all emails for 2FA be sent to the blog’s administrator email address?

And by “administrator” email I mean the email address found in Settings > General. If instead you mean that we should send the email to the email address for the actual administrative user, what if you have 2x administrator users on the site? Who do we pick?

No… two factor authentication is there to verify the identity of the user that is attempting to login. Each user on a WordPress site has an email address associated to that user. Therefore, when a given user, be it administrator, editor, subscriber, or whomever, attempts to log into a site, the correct behaviour is to send the 2FA email to the email address of that user – not the blog’s administrative email address.

You’re looking at this from your perspective of a single-user-single-admin website, where, it just so happens, you’re the only person logging in and making use of 2FA by email. If you can suggest how your suggested approach would work for a multi-user site, could you elaborate further?

If you would like the behaviour of sending all 2FA email addresses to the blog admin, then you’ll need to find another plugin for that. This behaviour doesn’t correspond with the underlying purpose of 2FA.

Hope this explains it!

“Each user on a WordPress site has an email address associated to that user. Therefore, when a given user, be it administrator, editor, subscriber, or whomever, attempts to log into a site, the correct behaviour is to send the 2FA email to the email address of that user”

That’s what I meant, and what Shield is *not* doing on one of my sites:

1) I’m the blog administrator.
2) There’s an email address associated to me (= the blog administrator).
3) When I log in, the 2FA mail is not sent to my (= blog administrator’s) address, but to another address, which was in use for a couple of months but was later changed to my (= the blog administrator’s) current address.

I guess this previous address must be stored somewhere and is thus remembered by the plugin. And this is what I want to change, and I would prefer to do so without a re-installation of Shield.

Hope this explains the problem.

And you’ve changed the email address that’s on your profile? Menu ‘Users’ -> ‘Your Profile’

Because for 2FA we don’t store an email… we just take it from the logging-in user profile

Yes, of course I’ve changed it there. Same settings, informations and changes on both of my sites. 2FA works perfectly fine on one of them, but not on the other.

Just reviewed the code there to make sure… there is only 1 scenario whereby this 2FA would send email to the blog admin address, is if the email address provided is invalid in some way. I use WordPress’ in-built is_email() function for validating emails and if this fails, then it falls back to the blog admin.

Is there anything about your email address that’s funky? If not, could you try typing in your email address and resaving it, just to ensure there are no strange characters in there.

Thanks for your efforts, Paul, but that didn’t work either. I uninstalled and reinstalled Shield and now it seems to be working.

ok great, glad you got it sorted.