Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auto-detect Zapier requests in Jetpack Protect #14078

Open
readtedium opened this issue Nov 19, 2019 · 4 comments
Open

Auto-detect Zapier requests in Jetpack Protect #14078

readtedium opened this issue Nov 19, 2019 · 4 comments
Labels
Customer Report Issues or PRs that were reported via Happiness. aka "Happiness Request", or "User Report" [Feature] Protect Also known as Brute Force Attack Protection [Type] Enhancement Changes to an existing feature — removing, adding, or changing parts of it

Comments

@readtedium
Copy link

readtedium commented Nov 19, 2019

Is your feature request related to a problem? Please describe.

I’ve been running into repeated issues with blocked IP addresses when using Zapier, which is a tool I frequently use to automate tasks like uploading posts and images to our self-hosted site. As explained here, Zapier uses a range of IP addresses every time it launches a new task: https://zapier.com/help/troubleshoot/behavior/cant-access-or-use-zapier-with-other-apps

Describe the solution you'd like

I’d like to see Jetpack Protect auto-detect the use of IP addresses from Zapier, potentially through an upgraded integration.

Describe alternatives you've considered

I’ve looked into blocking IP addresses, but the range it uses is too broad. I could use Cloudflare to block login attempts instead.

Additional context

Here’s a screenshot of the error I receive in Zapier when this error arises:

Screenshot 2019-11-19 17 13 07

@kraftbj kraftbj added [Type] Enhancement Changes to an existing feature — removing, adding, or changing parts of it [Feature] Protect Also known as Brute Force Attack Protection labels Nov 20, 2019
@kraftbj
Copy link
Contributor

kraftbj commented Nov 20, 2019

That's an interesting situation. Zapier, from my memory, uses the XML-RPC interface which needs the raw username and password (versus having a Jetpack/WP.com specific setup that we could use oauth instead).

There is a Core group looking at bringing first-party authentication to the Core's REST API ( https://github.com/wp-api/authentication // https://make.wordpress.org/core/2019/11/19/rest-api-chat-summary-november-14/ ) and I mentioned this particular use case as something that any advancement in Core should be able to handle ( WP-API/authentication#4 ). If Zapier didn't want to support our authentication (understandable), this would be the route I'd expect.

On our side of things, I'm hesitant to whitelist Zapier without deeper thought and consideration, else what would prevent Zapier from being a tool used to brute-force? (They may have mitigations on their end; need to check).

I definitely appreciate the issue and the need for something on someone's side. Thank you for bringing this up.

Internal reference: p7fD6U-1S5-p2

@stale stale bot added the [Status] Stale label May 18, 2020
@htdat
Copy link
Member

htdat commented Oct 21, 2020

Another case with a similar issue 3382171-zen

@matticbot matticbot added the Customer Report Issues or PRs that were reported via Happiness. aka "Happiness Request", or "User Report" label Oct 21, 2020
@stale stale bot removed the [Status] Stale label Oct 21, 2020
@Automattic Automattic deleted a comment from stale bot Oct 22, 2020
@supernovia
Copy link

A similar request here: 7561565-zd-a8c

Copy link
Contributor

Support References

This comment is automatically generated. Please do not edit it.

  • 3382171-zen
  • 7561565-zen

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Customer Report Issues or PRs that were reported via Happiness. aka "Happiness Request", or "User Report" [Feature] Protect Also known as Brute Force Attack Protection [Type] Enhancement Changes to an existing feature — removing, adding, or changing parts of it
Projects
None yet
Development

No branches or pull requests

5 participants