kraftbj
commented
5 years ago That's an interesting situation. Zapier, from my memory, uses the XML-RPC interface which needs the raw username and password (versus having a Jetpack/WP.com specific setup that we could use oauth instead).
There is a Core group looking at bringing first-party authentication to the Core's REST API ( https://github.com/wp-api/authentication // https://make.wordpress.org/core/2019/11/19/rest-api-chat-summary-november-14/ ) and I mentioned this particular use case as something that any advancement in Core should be able to handle ( https://github.com/WP-API/authentication/issues/4 ). If Zapier didn't want to support our authentication (understandable), this would be the route I'd expect.
On our side of things, I'm hesitant to whitelist Zapier without deeper thought and consideration, else what would prevent Zapier from being a tool used to brute-force? (They may have mitigations on their end; need to check).
I definitely appreciate the issue and the need for something on someone's side. Thank you for bringing this up.
Internal reference: p7fD6U-1S5-p2
htdat
supernovia
github-actions[bot]
Is your feature request related to a problem? Please describe.
I’ve been running into repeated issues with blocked IP addresses when using Zapier, which is a tool I frequently use to automate tasks like uploading posts and images to our self-hosted site. As explained here, Zapier uses a range of IP addresses every time it launches a new task: https://zapier.com/help/troubleshoot/behavior/cant-access-or-use-zapier-with-other-apps
Describe the solution you'd like
I’d like to see Jetpack Protect auto-detect the use of IP addresses from Zapier, potentially through an upgraded integration.
Describe alternatives you've considered
I’ve looked into blocking IP addresses, but the range it uses is too broad. I could use Cloudflare to block login attempts instead.
Additional context
Here’s a screenshot of the error I receive in Zapier when this error arises: