New 2FA email implementation doesn’t work with Cloudflare

  • Resolved Ziga Sancin

    (@ziga-sancin)


    4 years, 4 months ago

    Hi,
    our site got an update for the Shield plugin (14.0.1), which broke 2FA email login. We’re hosting the site at WP Engine with Global Edge Security (Cloudflare). After entering and confirming the 2FA code, Cloudflare returns a 520 error at wp-login.php?shield_action=wp_login_2fa_verify. Nothing suspicious can be seen in the server error logs, even turning on debugging doesn’t show anything unusual. There are quite a few Shield rows in the options table (“shield config mod”) and there were some memory exhausted problems in the logs, but not really sure if it’s related to the Shield plugin update.

    Thanks,
    Ziga Sancin

Viewing 9 replies - 1 through 9 (of 9 total)
  • Thread Starter Ziga Sancin

    (@ziga-sancin)

    4 years, 4 months ago

    Forgot to mention in the initial topic post: everything worked flawlessly in the staging environment, where Cloudflare isn’t present.

    Plugin Author Paul

    (@paultgoodchild)

    4 years, 4 months ago

    Hi,

    After entering the email 2FA code and hitting the 520 error, have you tried then manually browsing to the admin area? Are you logged in?

    Thread Starter Ziga Sancin

    (@ziga-sancin)

    4 years, 4 months ago

    Hi,
    thanks for your quick reply. Forgot to mention this detail, I’ve checked it manually and I wasn’t logged in. I’ve also retried logging in with 2FA email and got the same error again.

    Plugin Author Paul

    (@paultgoodchild)

    4 years, 4 months ago

    We’ve just released 14.0.2 and it addressed a very strange error with some servers which might explain why CF was returning a 520 error. Can you test it out and see how it goes?

    Thread Starter Ziga Sancin

    (@ziga-sancin)

    4 years, 4 months ago

    No, we’re still seeing the same error (don’t know if it helps, but I’ve cleared all the caches before the test).

    Thread Starter Ziga Sancin

    (@ziga-sancin)

    4 years, 3 months ago

    Just a quick update: we’re seeing the same problem on another similar site, which also runs at WP Engine with Cloudflare enabled and the latest version of Shield, but in a different hosting package / environment.

    Plugin Author Paul

    (@paultgoodchild)

    4 years, 3 months ago

    do you have access to the PHP error logs? If so, could you reproduce the error and then let us know what is output at that moment in the PHP logs, please?

    There must be an error being generated somewhere

    Plugin Author Paul

    (@paultgoodchild)

    4 years, 3 months ago

    We have found the cause of this problem.

    WP Engine, in their infinite wisdom, has a “protection” on their server such that if a login form is submitted and it doesn’t contain “wpe-login=true” in the URL, then the request is immediately blocked and killed.

    This is a bit of text that WP Engine “magically” inserts into the WP Login URL when the login request is sent.

    Our 2FA verification requests also use the wp-login.php URL – but of course, we don’t add “wpe-login=true” to the URL. Why would we… it’s completely superfluous. I guess they do it to prevent “bots” that don’t know any better, but it’s very easily circumvented.

    Anyways, we’ll release an update to our plugin address this in our next release – hopefully tomorrow.

    Thread Starter Ziga Sancin

    (@ziga-sancin)

    4 years, 3 months ago

    I can confirm that the just released version fixes the 2FA email problem. If only I could change the topic title, which implies Cloudflare instead of WP Engine’s Global Edge Security. Thanks!

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘New 2FA email implementation doesn’t work with Cloudflare’ is closed to new replies.