I have been getting wordfence alerts for the last 3 days about username ” ” being blocked from logging in. I tried using plugins to rename the login page URL but they didn’t work. Today I upgraded to the just released Wordfence upgrade and the alerts have stopped. I saw that it includes a fix that stops lockout alerts for ” ” username. Does this mean that it was a bug and I can breathe easy?
Your site was being targeted by a Botnet.
We routinely ban (IP rules/htaccess) ALL traffic from almost all the former USSR states, web servers, bad hosts etc…
(I can make the list available – but note that it’s very aggressive so many may find it too restrictive.)
And are always finding more bad sources – often from the WordFence alerts. Basically if someone tries to login with a fake username – that IP gets checked and quite often the host CIDR is banned, permanently.
No, wasn’t a WordFence bug – was just the way WordFence works – hopefully it still works this way (I for one WANT to know when anyone tries to login, even if with a blank username) or I’ll be backdating to an earlier version…
I don’t understand why Wordfence would stop alerting us if there’s a botnet attack? I too want to know about them.
I’d rather not add strict rules to htaccess if I can help it. The last time I did that there were false positives and I had to remove over half the rules.
I don’t think they stopped the alerts, but just fixed the blank usernames so they now reflect the actual attempted username. The ” (blank) entries have stopped on my sites and am back to ‘admin’ and others.
Yes, that’s what I meant. But the blank usernames are legitimate attacks, right? I was only getting those alerts before the fix so now I don’t get any.