Security Plugin Issues

Security plugins can sometimes interfere with Google OAuth authentication. This guide covers specific issues and solutions for popular security plugins.

General Approach

Troubleshooting Steps

1. Identify the conflict:

   • Temporarily disable security plugin
   • Test Google sign-in
   • If it works, security plugin is the cause

2. Find specific feature:

   • Re-enable security plugin
   • Disable features one by one
   • Test after each change

3. Create exception:

   • Add OneTap endpoints to allowlist
   • Configure firewall exceptions
   • Whitelist specific IPs if needed

Endpoints to Whitelist

/wp-json/onetap/v1/callback
/wp-json/onetap/v1/nonce
/wp-json/onetap/v1/test

---

Wordfence

Firewall Blocking Callback

Symptom: 403 error after Google consent

Solution:

1. Go to Wordfence > Firewall
2. Click Manage Firewall
3. In Whitelisted URLs, add:

   /wp-json/onetap/v1/callback

4. Save Changes

Rate Limiting Conflicts

Symptom: Blocked after multiple sign-in attempts

Solution:

1. Go to Wordfence > All Options
2. Find Rate Limiting Rules
3. Either:
   • Whitelist your IP for testing
   • Increase rate limits for REST API

Learning Mode Issues

Symptom: Works then stops after Learning Mode ends

Solution:

1. After Learning Mode ends, check blocked requests
2. Wordfence > Firewall > Blocking
3. Find OneTap-related blocks
4. Add to whitelist

Two-Factor Authentication

Wordfence 2FA is supported - see 2FA Plugins.

---

Solid Security (iThemes Security)

404 Detection Blocking

Symptom: IP blocked after testing

Solution:

1. Go to Security > Configure
2. Find 404 Detection
3. Add to exclusion list:

   /wp-json/onetap

Banned Users List

Symptom: Specific IP can't authenticate

Solution:

1. Go to Security > Configure > Lockouts
2. Check Banned Users list
3. Remove your IP if listed
4. Add to whitelist if needed

File Change Detection Alerts

Symptom: Alerts about OneTap plugin files

Solution:

1. Go to Security > Configure > File Change
2. Add to exclusions:

   wp-content/plugins/onetap-login-for-woocommerce/

Network Brute Force

Symptom: Blocked by network-level protection

Solution:

1. Go to Security > Configure > Network Brute Force
2. Note: This uses iThemes network data
3. If wrongly blocked, contact iThemes support

---

Sucuri Security

WAF Blocking

Symptom: 403 or blocked by Sucuri

Solution (Sucuri Firewall/WAF):

1. Login to Sucuri dashboard
2. Go to Firewall > Settings
3. Add to Allowlist:

   Path: /wp-json/onetap/*

4. Or contact Sucuri support for assistance

Scanner False Positives

Symptom: Plugin flagged as suspicious

Solution:

1. OneTap is safe - it's from WordPress.org
2. In Sucuri, add to known files
3. Contact Sucuri if persistent

Hardening Issues

Symptom: REST API blocked by hardening

Solution:

1. Go to Sucuri Security > Hardening
2. Ensure REST API is not completely disabled
3. May need to allow specific REST endpoints

---

All In One WP Security

Firewall Rules

Symptom: Blocked by 6G/7G firewall

Solution:

1. Go to WP Security > Firewall
2. Check Basic Firewall Rules
3. May need to disable temporarily to test
4. Or add custom rule to allow OneTap paths

User Login Settings

Symptom: Locked out during testing

Solution:

1. Go to WP Security > User Login
2. Check Login Lockdown
3. Whitelist your IP:

   [Your IP address]

4. Or increase max login attempts

CAPTCHA Conflicts

Symptom: CAPTCHA appears after Google auth

Solution:

1. Go to WP Security > Brute Force
2. Find CAPTCHA settings
3. Consider disabling for REST API endpoints
4. Or for logged-in users

---

Shield Security

Bot Detection

Symptom: Blocked as bot

Solution:

1. Go to Shield > Bot Detection
2. Find exception settings
3. Add:

   Path: /wp-json/onetap/*
   Bypass: Yes

Login Guard

Symptom: Extra verification required

Solution:

Shield's Login Guard may trigger:

1. Go to Shield > Login Protection
2. Review settings
3. May need to adjust for OAuth flows

---

Defender Pro (WPMU DEV)

Firewall Blocking

Symptom: 403 on callback URL

Solution:

1. Go to Defender > Firewall > IP Lockout
2. Click Allowlist
3. Add allowlist entry:

   Type: URL
   URL: /wp-json/onetap/v1/callback

4. Save

Login Protection

Symptom: Extra challenges after Google auth

Solution:

1. Go to Defender > Login Protection
2. Review Login Lockout settings
3. Whitelist IP if testing repeatedly

Recommendations Scanner

Symptom: Security recommendations about OneTap

Solution:

• OneTap follows security best practices
• Review recommendations individually
• Most are informational

---

NinjaFirewall

Strict Policy Blocking

Symptom: Blocked by firewall rules

Solution:

1. Go to NinjaFirewall > Firewall Policies
2. Find POST/GET restrictions
3. Add exception:

   // In NinjaFirewall rules
   $nfw_rules['whitelist'][] = '/wp-json/onetap/';

File Guard

Symptom: Changes blocked by File Guard

Solution:

1. Temporarily disable File Guard during plugin updates
2. Re-enable after update completes

---

BulletProof Security

.htaccess Rules

Symptom: REST API blocked by htaccess

Solution:

1. Go to BPS Security > htaccess Security
2. Check for REST API blocks
3. Add exception for:

   /wp-json/onetap/

Custom Code

Symptom: Custom security code blocking

Solution:

Review any custom .htaccess rules for:

• API endpoint restrictions
• POST request blocks
• Referrer checks

---

WP Cerber

Traffic Inspector

Symptom: OAuth requests blocked

Solution:

1. Go to WP Cerber > Traffic Inspector
2. Add to whitelist:

   /wp-json/onetap/

Anti-spam

Symptom: Registration blocked as spam

Solution:

1. Go to WP Cerber > Anti-spam
2. Check user registration settings
3. May need exception for Google-created users

---

General Solutions

REST API Whitelist Pattern

For most security plugins, whitelist:

/wp-json/onetap/*

Or specifically:

/wp-json/onetap/v1/callback
/wp-json/onetap/v1/nonce

IP Whitelist (for testing)

If you're locked out:

1. Find your IP: https://whatismyip.com
2. Add to security plugin whitelist
3. Test thoroughly
4. Consider removing after testing

User Agent Considerations

OneTap doesn't use a custom user agent, but ensure:

• Google's user agents aren't blocked
• OAuth callback doesn't get flagged

Temporary Disable Procedure

Safe way to test:

1. Note current security settings
2. Disable security plugin
3. Test OneTap quickly
4. Re-enable security plugin
5. Create specific exceptions based on what worked

---

Debug Checklist

When troubleshooting:

• Check security plugin logs for blocks
• Note exact error message
• Test with security plugin disabled
• Check REST API is accessible: /wp-json/
• Verify callback URL: /wp-json/onetap/v1/callback
• Look for rate limiting triggers
• Check for IP-based blocks
• Review firewall rules

---

Getting Help

Information to Gather

1. Security plugin name and version
2. Exact error message
3. Security plugin logs/events
4. Whether it works with plugin disabled
5. WordPress debug log entries

Who to Contact

• OneTap Support: For plugin-specific issues
• Security Plugin Support: For their specific configuration
• Hosting Provider: If server-level security

Next Steps

• Cloudflare - CDN/WAF issues
• Debug Mode - Enable logging
• Common Issues - General troubleshooting