Works So Well, I’m Blocked From Using 2FA

This plugin mostly works, but I’ve also had to make my site less secure in order to get it to work properly.

This plugin consistently decides, in the span of one minute, that:

1) I am a human.
2) I am a bot, using a brute force attack.
3) I am a bot administrator.

I’m not comforted by the fact that my IP – actually everything about me – can stay the same, but my status can change from human to dangerous bot to administrator like that. I do not want a bot logging in as an admin.

It’s doing this, no less, for a whitelisted IP. I tried whitelisting a whole range of IPs too, which I’m not really ok with… You can’t even whitelist an IP from this page, you can only block one, which… I just don’t understand that.

Mostly it does this when I try to use a physical U2F key, so I have to use my backup OTP app. I have 2FA enabled via a different plugin, not Wordfence.

Eventually, I had to make firewall rules that I think are less secure just to use 2FA. I’m amused, I guess.

Here’s an example of the progression:

9/29/2018 10:34:08 AM, IP, Browser, and Hostname “Z”: Human
9/29/2018 10:34:08 AM,”Z”: Human accessing 2FA validation
9/29/2018 10:35:37 AM,”Z”: Bot accessing 2FA validation. BLOCK BLOCK BLOCK!! Bruteforce! Then at the time above – Bot accessing 2FA validation a little differently – let in the administrator. This appears to be the same time that the login works, but there’s no record. There’s just a log of an admin logging out later on.