Locked out of site when Defender is active

Hi, when Defender is active I get " The administrator has blocked your IP from accessing this website."

The IP has been added to Wordfence whitelist and Defender whitelist but it's presenting the same issue, which only disappears when Defender is deactivated.

After plugin conflict got the same message.

Access details provided in internal ticket.

Thanks in advanced.

  • Adam Czajczyk
    • Support Gorilla

    Hi T. Webb

    I hope you're well today and thank you for your question!

    I checked the site and noticed that there are some issues reported in the debug log related to Defender not being able to properly recognize all the data from the HTTP headers - related to user browser.

    This seems to be somehow affected by the fact that the traffic to the site goes through CloudFlare and while CloudFlare itself would not be an obstacle here (it should be working just fine with Defender) it's quite likely that there's something specific to this setup that might be making it an issue.

    I would like to ask you to test one thing. Could you please temporarily pause CloudFlare (there's a pause option in CF dashboard) so the site would be accessible directly, then clear all caches on site (and server if there are any) and in browser and the re-enable Defender and see if you're still getting locked out?

    In case you was, you can deactivate Defender by renaming the "wp-defender" folder in "/public_html/wp-content/plugins" folder on your server (via CPanel "File Manager" tool) to e.g. "wp-defender.off" and getting back to the wp-admin (even a login form) page (though you might need to clear browser cache meanwhile).

    Regardless whether it helped or not, let me know about it as it will help us narrow possible causes a bit.

    Kind regards,
    Adam

  • T. Webb
    • Design Lord, Child of Thor

    Hello Adam,

    Right now I can't gain access to my Cloudflare account. I've had to reset my password, and now the site is asking me for my two-factor authentication code which I've never set up. I need to supply Cloudflare with some info which I'll be able to do within an hour to 90 mins. I'll let you know when I've completed your request.

    Thank you. Adam.

    ~Trudye

    • T. Webb
      • Design Lord, Child of Thor

      Hi, Adam (Nithin),

      I'm still unable to gain access to my Cloudflare account (which may take another 4-8 days). I've just found out that my Discovery Page has been deactivated for other people trying to utilize my form. It shows as working functionally for me, but not for others. I'm not sure that this has something to do with Cloudflare, but others are receiving the message, "You must be "logged" onto the account to use this form." Do I need to create a different ticket for this issue?

  • Adam Czajczyk
    • Support Gorilla

    Hello T. Webb

    Thank you for getting back to me and I apologize for the delay. Forum was under maintenance over the weekend so it's not a bit more busy but we're trying to "catch up" as fast as possible. I'm sorry about that.

    As for the form issue. No, it has nothing to do with CloudFlare and it must have been set manually. If you go to Form in back-end and edit that form, you'll find in "Form Settings" tab in "Restrictions" section that it's set to "Require user to be logged in".

    You can disable that option, save settings and the form should become available for everyone.

    Keep me updated about the CloudFlare though, please.

    Best regards,
    Adam

  • T. Webb
    • Design Lord, Child of Thor

    Hi Adam,

    Here's a screenshot of my Setting page for azseophoenix. I don't see a restriction setting to change. I'm going to try switching the No-Conflict button to OFF mode, rather than having it in On mode to see if that makes a difference.

    Thank you! LOL. If you can decipher the error, I'll wait to hear from you.
    ~Trudye

  • T. Webb
    • Design Lord, Child of Thor


    Adam,
    When I looked at the other option of REST API under my FORMS setting it shows that someone has initiated an IMPERSONATE ACCOUNT setting OPTION. I IMAGINE THAT THIS MUST BE WHOEVER IS SIGNING INTO MY ACCOUNT DAILY! (Sorry, I didn't mean to have that last sentence in "all caps" but, I guess it was appropriate after all.

    ~Trudye

  • Adam Czajczyk
    • Support Gorilla

    Hi T. Webb

    Here's a screenshot of my Setting page for azseophoenix. I don't see a restriction setting to change.

    You are looking in a wrong place :slight_smile: It's form settings, not plugin settings. You'd want to go to "Forms -> Forms" page and edit the form in question, then you got "Settings" tab there and the option is in there :slight_smile: Give it a try again, you will find it there :slight_smile:

    When I looked at the other option of REST API under my FORMS setting it shows that someone has initiated an IMPERSONATE ACCOUNT setting OPTION.

    I can say that I didn't change it for sure, I wasn't even aware of such option. But I'm not sure what do you mean by "whoever is signing into my account daily" - do you mean that somebody (or somebody from WPMU DEV) is accessing your site daily for all that time?

    Getting back to the initial issue - did you manage to get access to and temporarily disable CloudFlare perhaps?

    Best regards,
    Adam

  • T. Webb
    • Design Lord, Child of Thor

    DONE!
    Good Lord, Adam, I would have sworn that I was in the right place, never-the-less, apparently, I wasn't. Thank you again. Anyhow, I've just communicated with Cloudflare, 30 minutes ago, and I've almost got the issue cleared up so that I'll soon be able to log back into my Cloudflare account. It appears that someone has been using my "admin@azseophoenix.com" ID, and Cloudflare is working on locking them out from my account and creating a two-factor authentification process for me to use.
    I will respond to you again as soon as I can regain access to my Cloudflare account within the next day or two.

    Thank you again for your assistance and patience, Adam.

    Sincerely,
    ~Trudye

  • T. Webb
    • Design Lord, Child of Thor

    Good day, Adam,

    As of yesterday, I have finally gained access back into my website account via Cloudflare.
    Do you still need me to pause Cloudflare temporarily, and clear my cache?
    I believe that whoever had been signing into my account daily was either from my Hosting (Namecheap) or someone from wpmudev (impersonating my host account) which is why I'd been locked out because they were creating a new area within my Dashboard.

    Because I'd seen at least an additional ADMINt user, and SerpedUS user, in my Dashboard section, I deleted them both until I could get a handle on whom was signing in daily into my website.
    I can see now that I have a Screenshot Dashboard added to my original Dashboard which I didn't put there.
    Needless to say, but I've had no further issues with access to my account nor have I been locked out while CLOUDFLARE had me in two-factor authorization mode.
    At this point, I have full access back onto my site. I have also gone into Cloudflare and initiated the two-factor mode to make sure that they do not lock me out again.
    Thank you for your assistance. Does this mean that I should close this ticket now?

    ~Trudye

  • Adam Czajczyk
    • Support Gorilla

    Hello T. Webb

    Thanks for getting back to me and I'm sorry for keeping you waiting for my response.

    I'm glad to hear that you got access to the site and CloudFlare back. As for these additional accounts, I admit that's quite strange. I certainly didn't create them myself but I think nobody from here would do that this way.

    We usually use support access tool of WPMU DEV Dashboard plugin to access the site, if it's enabled, and that doesn't create any user account. If we do need direct access via login and password, we ask you to provide those so again - we don't create them.

    There are cases when for testing we do need to create a new account but
    - we usually try to inform you about that or at least we remove these accounts after we're done with testing
    - the username would either be some name but with either an "incsub.biz" e-mail address or with something in e-mail handle that clearly suggests that WPMU DEV staff created it
    - or it would be using a username in style of "wpmutest" or similar

    Those usernames doesn't look like anything created by any one of us so I'd recommend asking the host too. It's also possible that somebody just got an unauthorized access for some reasons but since you removed accounts, regained CloudFlare and got 2FA enabled now, I think that should be fine - though it's better to keep an eye on the site anyway.

    To sum it up, yes - I think the ticket can be considered closer for now but if anything related to what we discussed here happens again, please let me know.

    Best regards,
    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.