Unlock link resolves to 404 page

  • Resolved Lightwing

    (@lightwing)


    1 month, 1 week ago

    I am using Wordfence to block IP addresses for certain URL strings to increase site security. However, when a user is blocked and enters their email address to get an unlock link, the generated unlock link resolves to a 404 page. I can’t figure out if this behavior is caused by the aggressive URL list or the Easy Hide Login plugin.

    Below is the list of URLs. Should I remove some to prevent this behavior? 

    /wp-config.php
    /xmlrpc.php
    /.env
    /.git
    /.htaccess
    /server-status
    /ftpconfig
    /hidden/
    /phpinfo.php
    /wp-content/debug.log
    /wp-login.php?user=admin 
    /wp-login.php?admin*
    /author=admin
    /admin
    /login
    /wp-admin/install.php
    /wso.php
    /feed
    /wp-admin
    /?author=2
    /?author=1
    /wp-content/plugins
    /author/
    /wp-comments-post.php

    Alternately, if the culprit is the Easy Hide Login plugin (format: website.com/?secretphrase, is there a PHP snippet I could invoke to make the unlock link work again?

    Thanks!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    1 month, 1 week ago

    Hi @lightwing, thanks for the detailed message.

    Whilst Easy Hide Login doesn’t appear on our list of known plugin/theme conflicts right now, another with similar functionality does. I would temporarily disable it and test the unlock email again. If it stops 404’ing, you have the cause immediately.

    At the bottom of our documentation page for our brute force login attack prevention options, we have a video explaining why we don’t recommend trying to hide the login page.

    We find that a manual blocking regime is generally not needed as Wordfence blocks IPs when paths visited based look like malicious intent or are linked to known vulnerabilities. However, if you’ve seen an unreasonable amount of hits trying a URL in quick succession that could slow the performance of your site, it does make sense to try stopping them.

    We also warn in our docs that blocking things under /wp-admin can break needed endpoints like admin-ajax.php so it may also make sense to drop this from your list too, even if it’s not the cause of the issue we’re looking at now. There are some others on there that might be generally ineffective, but try disabling Easy Hide Login and removing /wp-admin from the list first.

    Many thanks,
    Peter.

    Thread Starter Lightwing

    (@lightwing)

    1 month, 1 week ago

    Thanks!

    Plugin Support wfpeter

    (@wfpeter)

    1 month, 1 week ago

    No worries, let us know how you get on as it may assist in future cases.

    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.