Heartbeat and Security Plugin / Firewall Conflict Explained: Key Notes on Login Authentication, 2FA

In the WordPress site, theHeartbeat API together with Security plug-ins, firewalls, login authentication mechanisms (including 2FA) Conflicts between them are one of the high causes of background lag, frequent dropouts, editor anomalies, and even failure to save content.

Many webmasters will find that after enabling security plugins or strengthening login verification:

• The backend is frequently asked to re-login
• Elementor / Gutenberg The editor often gets stuck
• Failed autosave or repeated "Connection disconnected" messages
• admin-ajax request blocked or delayed

These problems are not accidental, but Heartbeat's background polling mechanism creates a structural conflict with the security policyThe

I. What does Heartbeat actually do in the background?

The Nature of Heartbeat

Heartbeat is used by WordPress in the backend AJAX Polling MechanismThe main way to do this is through admin-ajax.php Periodically send requests to the server for:

• Maintaining a login session (session)
• Automatically save articles
• Prevent multiple editors from editing at the same time
• Synchronize background status

By default:

• Background Heartbeat frequency:15-60 seconds
• Higher frequency in editor mode

Heartbeat is strongly bound to the "login state".

This is one of the root causes of the conflict:

Heartbeat request = continuous authentication of logged-in users

Every Heartbeat request is, essentially, one:

• Cookie Checksum
• Session validity check
• Confirmation of authority

These behaviors, in turn, happen to highly overlap with the scope of work of security plug-ins, WAFs, and 2FAs.

Second, the security plug-in / firewall is how to "accidentally hurt" Heartbeat?

Core logic of the security plugin

Most WordPress security plugins do the following:

• Limit Login Attempts
• Detecting the frequency of anomalous requests
• validate (a theory) Cookie / Token Legitimacy
• Blocking suspicious behavior in admin-ajax

From a safety standpoint, this makes perfect sense.

But here's the thing:

Heartbeat looks "very much like anomalous traffic" to security plugins.

Common Misjudgment Scenarios

Scenario 1: High-frequency AJAX is determined to be an attack

• Heartbeat every 15 seconds
• Editor + Auto Save Overlay
• admin-ajax request intensive

Results:

• Recognized as an attempt at violence
• Restricted or blocked by firewalls
• The backend began to fail intermittently

Scenario 2: Cookie / Token Polling Triggers Authentication Failure

Some security plugins will:

• Refresh the login token periodically
• Older tokens are simply determined to be invalid

When Heartbeat is still using an old session:

• Return 403 / 401
• Force Logout
• Loss of editor status

III. Typical Conflicts between Heartbeat and 2FA (Secondary Authentication)

The original design of 2FA

2FA (Two-Factor Authentication) is commonly used:

• Secondary authentication at login
• Confirmation of high privilege operation
• Forced revalidation after session expiration

The problem, however, is that many 2FA plugins don't distinguish adequately:

• Login Behavior
• Background Polling Behavior in Logged In State

How does conflict arise?

Common Faulty Logic:

• Heartbeat request triggers "sensitive background behavior" determination
• Security plug-in requires revalidation 2FA
• But Heartbeat can't do interactive authentication

The result:

• Heartbeat Rejected
• Editor loses session
• The page prompts "save failed" or "need to log in again".

Symptoms seen on the surface by the user

• Sudden exit from the background while editing a page
• Cannot save after entering content
• Elementor shows connection errors
• Frequent jumps to the login page

These issues are often mistaken:

• Server instability
• Elementor Bug
• Browser issues

In fact, the root cause is conflicting security policies.

Fourth, why is the front desk completely normal with visitors?

This is a very critical point of judgment.

The reason is simple:

• Heartbeat primarily runs on wp-admin
• Heartbeat is not triggered for frontend users
• Firewalls are usually more lenient on frontend policies

So you'll see:

• Website access speed is normal
• Only the back office is "getting harder and harder to use."

V. Correct settlement principles (very important)

When dealing with Heartbeat conflicts with security plugins, theTwo extremes must be avoided::

❌ Direct shutdown of Heartbeat
❌ Disable security plug-ins completely or 2FA

The correct principle is:

Reducing the probability of conflict rather than sacrificing security

VI. Landable security optimization ideas (without affecting the front office)

Restrictions for backend only Heartbeat

Core idea:

• Do not turn off Heartbeat
• Reduce background frequency
• Only works with wp-admin

This will do:

• Dramatically reduce AJAX requests
• Doesn't affect autosave core functionality
• Reduce the probability of being misjudged by security plug-ins

"Release" in security plugin admin-ajax.php

It is recommended to check the following setting items:

• admin-ajax Whether or not the flow is limited
• Whether it is counted as a login failure
• Involvement in violence prevention rules

best practice::

• Relax admin-ajax restrictions for logged-in users
• Retain strict policies for unlogged-in users

Setting up "Backend Edit Whitelist Logic" for 2FA

If your 2FA plugin supports it:

• Triggered only at login 2FA
• No duplicate validation during editing

Be sure to enable it.

Otherwise:

• Heartbeat never passes secondary authentication
• The backend experience will continue to be unstable

Aggressive Strategies for Reducing "Login State Expiration"

Some security plugins are set by default:

• Forced session expiration for a short period of time
• Background operation will expire after a while

Recommendation:

• Reasonable extension of background session time
• Ensure that editing of long pages is not interrupted

VII. How can I tell if the problem has been solved?

After optimization is complete, you should observe:

• Backend editor is noticeably smooth
• Autosave no longer fails
• No more frequent logouts
• Admin-ajax request in the browser Network panel returns 200 consistently.

If this holds true, Heartbeat and the security mechanism have entered a state of "peaceful coexistence".

VIII. Summarize: the essence is not a Bug, but a strategy conflict

Summarize this type of question in one sentence:

Heartbeat's conflict with security plugins / firewalls / 2FA is not a system bug by nature, it's Structural tension between high-frequency background polling and aggressive security policiesThe

The key to the solution is not "who to shut down", but rather:

• Defining Heartbeat's backend role
• Design a more logical security policy for logged-in users
• Balancing Security and Availability

Contact Us
Can't read the tutorial? Contact us for a free answer! Free help for personal, small business sites!	Customer Service
① Tel: 020-2206-9892
② QQ咨询：1025174874
(iii) E-mail: info@361sale.com
④ Working hours: Monday to Friday, 9:30-18:30, holidays off