Incidentally, in case anyone else has this issue, the secondary 2FA screen can be bypassed by entering the OTP after the password on the main login screen (for example, if your password is Secret123, and your OTP is 123456, you’ll enter your password as: Secret123123456) – this will permit login until Wordfence can review/address this.
Hi @cagsmith,
Can I just ask if you have a caching plugin or caching enabled on your server somewhere, and have you tried to clear them? Does it produce the same issue in a browser different to your default choice, or an incognito/private window where your site has never loaded before? The latter may mean there’s local caching of one of the login pages on your machine.
If not, of course I’ll be glad to help further.
Thanks,
Peter.
Hi there,
There is a caching plugin, but this gets cleared whenever a plugin is updated.
The issue persists when using a new browser/incognito mode.
Additionally, the issue goes away immediately when reverting to a previous version of wordfence.
Hi Peter,
I think we tracked this down now – the new way that Wordfence 2FA now works appears to conflict with a firewall rule we have in place and was returning a 402 response on wp-login.php for affected users.
I’ve disabled this rule presently – we’ll see how it plays out but this should hopefully now be resolved.
Hi @cagsmith,
Thank-you for the update as we have seen a few cases of customers reporting 2FA breaking with the latest version. This doesn’t happen for all customers as I’m running 2FA personally and hadn’t been affected. We have spent the last few days looking into this to see if there’s a common factor such as a specific plugin across all affected sites that may be causing a conflict.
May I firstly ask which rule was disabled to rectify the issue and whether you’re willing to send us a site diagnostic so we can take a look at the plugins Wordfence is running with? Can you send the diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.
NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email
Many thanks,
Peter.
