New users bypassing 2FA

  • Resolved Lukasz

    (@wpfed)


    1 year, 9 months ago

    I created a new user account and I was able to bypass 2FA even though I have it set as mandatory on first login, I checked the user profile and see ‘User has not logged in yet, 2FA status is unknown’. It doesn’t even prompt for 2FA code. It’s occurring on multiple sites that are WP 6.0+

    Still working for existing users(users presented with input to enter code).

    WP 6.0.2
    Web server | nginx/1.19.10
    PHP version | 7.4.23 (Supports 64bit values)
    mysqli 5.7.18-15-57-log
    Chrome browser

    I tried disabling all plugins as well and different themes.

    What could the cause for this be?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Contributor robertabela

    (@robert681)

    1 year, 9 months ago

    Thank you for using our plugin @wpfed

    Just to confirm, did you also configure the policy to enforce 2FA on that user or the user’s role?

    And do you use any custom dashboard, or a different login URL / dashboard URL, or you can reproduce this on a “default / vanilla” WordPress install?

    Looking forward to hearing from you.

    Thread Starter Lukasz

    (@wpfed)

    1 year, 8 months ago

    Hi @robert681

    I have it setup to enforce ‘All users’.

    I don’t have any custom dashboard or login URL either. Waiting for my host to update mysql as it’s quite out of date(mysqli 5.7.18) and hoping maybe that will fix it.

    Even if I log in with the new account I still see “this user has not logged in yet, 2FA status is unknown”

    Could it be that I am logging in from the same device with a new account?

    Plugin Contributor robertabela

    (@robert681)

    1 year, 8 months ago

    Hello @wpfed

    We have just tried to replicate this in our test environment but did not manage so far. It would be interesting to see what is the exact setup that you have and what is happening exactly.

    Can you please send us the system information file over email at support@wpwhitesecurity.com? This file includes information about your website and our plugin’s setup so we can better understand how it is configured, so please do not share it on this forum.

    You can get the system information file from the System Info tab in the Help & Contact Us section in the plugin.

    Looking forward to hearing from you.

    Thread Starter Lukasz

    (@wpfed)

    1 year, 8 months ago

    Hi @robert681,

    I sent the debug information. I noticed your plugin states MySQL Version: 5.5.30 while WordPress site health shows Server version 5.7.18-15-57-log

    There is a proxy on my managed hosting server so makes it a little confusing to know which DB it’s getting this info from.

    I have my hosting may be to blame for these strange issues.

    I actually found the ticket I created years ago about incorrect mysql version returned https://core.trac.wordpress.org/ticket/47738

    • This reply was modified 1 year, 8 months ago by Lukasz.
    Plugin Contributor robertabela

    (@robert681)

    1 year, 8 months ago

    Hello @wpfed

    As discussed in our ticket please run this through your web host and let me know once you have an update.

    Thank you again for your cooperation.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘New users bypassing 2FA’ is closed to new replies.