WordPress.org

Ready to get started?Download WordPress

Forums

Wordfence Security
[resolved] Block IPs of all 'admin' logins (42 posts)

  1. multiplicity
    Member
    Posted 1 year ago #

    I've renamed my user account and deleted the original account named 'admin'.

    I'd like Wordfence to permanently block the IP addresses behind all attempted logins as 'admin'. None of the current features will automatically block these, even temporarily.

    There are over a hundred login attempts as 'admin' an hour. Since I know all of them are fake (there is no 'admin') I'd like to auto-block them, and make it permanent.

    Any tips or hacks? If not, Wordfence, you might want to make this a premium feature. Tell me and I'll subscribe.

    http://wordpress.org/extend/plugins/wordfence/

  2. hehafner
    Member
    Posted 1 year ago #

    This would be an awesome feature. This week my sites have been hit heavily with admin login attempts.

  3. CoachMag
    Member
    Posted 1 year ago #

    Mark, I'm adding my vote for multiplicity's suggestion!

    I haven't seen an auto-block on the other security plugins I've tried, and I think it would be an outstanding, time-saving addition to Wordfence. If it's possible to do, pretty-please consider adding it.

  4. Jaifaime
    Member
    Posted 1 year ago #

    Rather amusingly, I came here specifically to ask for this, and it happens someone else has already posted about it. I was sitting there, scanning down the list for the word admin and clicking "block" over and over and over. After about 5 minutes I realized this is something that should only take me one or two clicks. Either a check box next to each entry in the Live Traffic and a bulk action block button (which may be the quick fix solution), or an auto-block of any IP that tries to log in with a definable list of login names. Like Multiplicity has done, I have also removed the "admin" account, and have seen attempts to login as manager, qwerty, sysadmin, aaa, test, support, user, administrator, admin1, and root (that's just from a quick glance at todays list).

    Wordfence is awesome, I absolutely love it, you guys and gals have done a great job with it. Thank you very much.

  5. askwpgirl
    Member
    Posted 1 year ago #

    There is an option in Wordfence to automatically block attempts to login with an unknown user. Wouldn't that take care of the problem?

  6. nickaster
    Member
    Posted 11 months ago #

    Good stuff... I'd love this feature too. The trouble with the blocking of all unknown users is that sometimes people make typos then get erroneously blocked out... having a blacklist like "admin" "editor" "moderator" etc... would be super helpful.

  7. nickaster
    Member
    Posted 11 months ago #

    seems a new tactic is out today.... I'm getting a new IP trying to access "admin" every 2 or 3 seconds... from a completely different country every time. Blocking is no use!

    Blocking "admin" really ought to just be default (until these jokers figure out something else)

  8. billc108
    Member
    Posted 11 months ago #

    I'm putting my vote in for this as well.

    None of the sites I build (60+) ever use an "admin" user. If someone tries it, they should be forever banned.

    I'm also seeing a fair number of "administrator" and "adminadmin" users.

    I've increased the block time to 60 days on those sites which only have a few legal users. Still, I'd rather just see them all go straight to the bit bucket.

  9. maddogmcewan
    Member
    Posted 10 months ago #

    being hit today with admin attempts as well - any ideas?

  10. hehafner
    Member
    Posted 10 months ago #

    Wordfence allows you to immediately lock out invalid usernames. Recently the added the feature "Prevent users registering 'admin' username if it doesn't exist" which I am glad for. However, my block list is heavy... I get hits for admin, adm, administrator, adminadmin, manager, user, ... When a brute force attack comes across my sites, just blocking invalid usernames makes the block list long and cumbersome. I wish I could get the User-Agent function to work... However, for now I block all these invalid user names for 2 days and then release them. If, during those 2 days, I'm constantly attacked by a temporarily blocked IP address, (it shows you how many times a blocked IP attempts to break in whilst blocked) then I block them permanently.

    Typically, if one of my sites is attacked, then the rest will also get attacked because most of my sites are on the same server. So by
    letting your host know where most of the attacks are coming from allows your host to block out a country either temporarily or on a more permanent basis. This helped me last week when I was attacked by Ukraine, Federation of Russia, Romania, Iran and China.

    Today is a far different list.

  11. Websiteguy
    Member
    Posted 7 months ago #

    I'm putting my vote in for this as well.

  12. Wordfence
    Member
    Plugin Author

    Posted 7 months ago #

    Hi All,

    We already have a feature that lets you "Immediately lock out invalid usernames".

    The idea is that you create a new admin account with a different username, delete the old admin account and if anyone tries to sign-in with admin or any other invalid username they're immediately blocked.

    Please let me know how you'd like this feature changed, if at all and I'll get it taken care of.

    Regards,

    Mark.

  13. Wordfence
    Member
    Plugin Author

    Posted 7 months ago #

    PS: The blocks that are created when you "Immediately lock out invalid usernames" are not permanent, but I don't recommend permanent blocks because most IP addresses on the Net are dynamic so you'll end up blocking a good guy when the baddie gets assigned a different IP.

    Regards,

    Mark.

  14. Websiteguy
    Member
    Posted 7 months ago #

    Thanks Mark

  15. demoman2k10
    Member
    Posted 5 months ago #

    I think I'd also like control of being able to manage the invalid usernames that fence is supposed to be blocking. I'm seeing a LARGE uptick in the amount of ADMIN user names making an attempt to login. I don't believe that the FENCE is stopping them or they would not change their IP and try it again.

    At very least I'd like to see some kind of block being able to get set up and controlled by the administrator to not allow that IP access for x period of time. And it be shown somewhere that this is working with a list of IP's blocked and usernames.

  16. PavelCZ1982
    Member
    Posted 5 months ago #

    I vote for this as well as "Immediately lock out invalid usernames" doesnt work! For instance I dont have admin user and I had few attempts from same IP adress as admin user with no lock out.

  17. The Baldy Man
    Member
    Posted 4 months ago #

    We are having the same problem.

    Example: A user with IP address 176.31.126.130 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username 'admin' to try to sign in.
    User IP: 176.31.126.130
    User hostname: ks398566.kimsufi.com

    I notice that these are specifically related to "password recovery" - can we not have a Captcha for password recovery forms? Surely this should eliminate the problem?

    Thanks
    Andrew

  18. nickaster
    Member
    Posted 3 months ago #

    Hi Mark, thanks for working on this.

    THe "Immediately lock out invalid usernames" is great. The only problem is that if someone makes a typo they can get accidentally locked out. When I turned this on, it was only a few hours before someone did this.

    It would definitely be great to just be able to specify that "admin" always gets blocked, or that "XYZ always gets blocked".... or at the very least, if you try it multiple times you get blocked or something.... with some kind of warning about it.

  19. Cam
    Member
    Posted 1 month ago #

    Hi Mark,
    I am adding my vote to support blocking specific "admin" login attempts in addition to the two current features of "Immediately lock out invalid usernames" and "Prevent users registering 'admin' username if it doesn't exist".

    The main reason I see the high need for this specific feature is for those of us who are running communities of sites, and who don't want to block legitimate users who cannot spell their own username. This is the only reason why I don't have the current block feature enabled right now. In my mind, if someone legitimate wanted to try the 'admin' username, they deserve to be blocked.

    There are two different ways I could see this being implimented:

    1. Adding a checkbox selection to the list next to the other two features, and/or making it a radio button option for (Immediately block all invalid users / Immeditately block admin login attempts / Standard blocking).
    2. Adding a textbox or text area where we could manually type a comma separated list of usernames to block. We could then manually type in 'admin' and any other username we would want to block. You could combine this with the registering restriction feature and say that usernames included in this field will not be allowed to register, and they will be immediately banned if someone tries to login to them if they are not a valid username. (Adding an alert if a valid username exists that is in this banned list would help keep banned and current usernames from overlapping.)

    These are two ideas I see for solving the issue we are suggesting. If I were to pick one of them, I would choose #2 because it seems to be the more powerful and flexible of the two options.

    Please reply with questions and/or other thoughts.

    ~Cam

  20. bluepixeldesign
    Member
    Posted 1 month ago #

    I ditto the previous requests! I installed Word Fence specifically to stop the brute force attacks on my site, and the biggest seems to be attempting to login with the username "admin".

    I have my settings set to "Immediately lock out invalid usernames", and I guess no one is actually getting in, but it was my understanding that each attempt slows down your site. I'd very much like to stop the attempts if I can!

    Is there any way to do that?

  21. joonymobile
    Member
    Posted 1 month ago #

    I have to speak up here and this is the entire reason why I installed Wordfence. A lot of IP addresses attempt to log in our site as "admin" and this really bugs us.

    "Immediately lock out invalid usernames" feature is not sufficient because we run a community website that has more than 3000 members. We don't have to block those accidentally misspell their username.

    Is there any solution for this? Anyone who attempts to log in as "admin" ip-block?

  22. Storyman
    Member
    Posted 2 weeks ago #

    @joonymobile,

    There is already such a method. Wordfence-->Options-->Login Security Options-->Immediately lock out invalid usernames. Since you've removed the user Admin anyone attempting to use it would immediately be locked out.

    There is the issue of users who have the same "Username" and "Name". Hackers will likely attempt to use those names. You'll need to moderate them so they don't match.

    The issue with immediately locking out login attempts with bad user names means that forgetful users will also be locked out, which is why I'd suggest 3 attempts during a ten minute period before being locked out for an hour. It won't prevent the hackers from returning later, but definitely slows down the bots.

    While you're add it make certain tick the options to prevent WordPress from revealing valid user names and the option to prevent anyone from registering "admin" as a user name.

    Hackers are relentless and on my own sites use .htaccess to allow only my IP address access to the login page (be sure to whitelist your own IP on Wordfence's Options page--you probably already did and only mention it for those less familiar with Wordfence). If anyone does this, then they definitely need to adjust the firewall settings to block 404s after to something like 10 attempts. Discovered the necessity for this when one knucklehead unleashed a bot to access the login page resulting in 100,000 404 hits for the login page.

  23. sgpark
    Member
    Posted 2 weeks ago #

    There is already such a method. Wordfence-->Options-->Login Security Options-->Immediately lock out invalid usernames. Since you've removed the user Admin anyone attempting to use it would immediately be locked out.

    As people have already mentioned, this option locks out valid users who mistype their logins. That's an unacceptable hit to usability. Sure, it's not permanent, but it's still a real problem. What if an admin has to make an urgent update and mistypes her username?

    I would also like to request the ability to manually enter a list of usernames that are automatically locked out. This would help with attacks on "admin" and also help with securing sites against disgruntled former users that may have been banned, etc.

  24. Storyman
    Member
    Posted 2 weeks ago #

    What if an admin has to make an urgent update and mistypes her username?

    Haven't you white listed your admin's IP address? If you do you'll notice that it bypasses ALL rules intended to stop hackers.

    As for legit users that can't manage their username/password information and get locked out you have a choice of either making the lockout period something along the lines of what Google uses (unless they've changed it)--three attempts, then a 24 hour lock out. I'd rather be gentler and kinder and after three bites at the apple lock them out for 1-3 hours. You're not an incompetent user's mother and required to clean up after them for every mistake they make. Besides, without some consequence to keeping track of their username/password they will never learn to be modify their behavior.

    As for immediately locking out attacks on "admin." That I can get on board for implementing. As for the banned users what if you block their IPs permanently when you ban them? You shouldn't have any trouble finding those IPs if you look at the login list.

    You're going to have to find a balance to address your needs to cater to incompetent users and the need to prevent hackers from attempting to login to your site without making Wordfence bloaded--don't know if you've noticed that Wordfence creates as many database tables as a WordPress installation. Not a terrible thing in itself, but it does increase DB calls, which can have an impact on your site's performance.

  25. sgpark
    Member
    Posted 2 weeks ago #

    Haven't you white listed your admin's IP address? If you do you'll notice that it bypasses ALL rules intended to stop hackers.

    Your tone is unnecessarily hostile and shows lack of imagination for different needs.

    Some of my client's content writers travel and write from the road. A lot are not tech savvy, since their are writers and editors and not web developers.

    The fact is, locking out someone for ONE instance of mistyped username, which is what WordFence's current options do, is simply bad design.

    WordFence is a great plugin and I don't hesitate to recommend it, but I'm sure they'd want to know of simple ways to make it easier for users to manage their security. And allowing us to specify usernames that are either automatically denied login or blocked on the IP level would not add much at all--it could be one line in a database + a handful of lines in the code--while it would basically make them an almost perfect security plugin.

    I have found a balance and have written my own code, but the point is to help WordFence know what users want and to explain different aspects of user needs and real-world use to give the WordFence folks the data to decide whether they want to add/update their features. I don't really understand what your problem is with that.

  26. Storyman
    Member
    Posted 2 weeks ago #

    Are you saying that content writers have admin rights? Anyone with admin rights should be aware of any restrictions from typing an incorrect username/password combination.

    The fact is, locking out someone for ONE instance of mistyped username, which is what WordFence's current options do, is simply bad design.

    At the risk of sounding 'hostile' why don't you back off the "one attempt and you're locked out" mentality? Be kinder, gentler and give them at least three attempts to login before locking them out. It is a fair compromise from the all or nothing stance.

    If you examine the Wordfence logs you'll discover that nearly all of the hack login attempts are from bots. At first they use 'admin', but over time they try different user names--most of which are variations of poster's names. To add all the variations of usernames used by hacker bots to a blacklist will be an endless task and one that I'm not convinced worth the time and energy. Rather than being defensive and saying anyone who doesn't agree with you is hostile and lacks imagination think through the consequences of what you are asking for. You'd be surprised at the number of people who started with your assumption and after careful consideration found it unmanageable. I could be wrong and would be swayed by a cogent analysis.

  27. sgpark
    Member
    Posted 2 weeks ago #

    Are you saying that content writers have admin rights? Anyone with admin rights should be aware of any restrictions from typing an incorrect username/password combination.

    No, I'm saying that content writers would be affected exactly the same way as admins--they would be locked out if they mistyped if the WordFence "Immediately lock out invalid usernames" option is checked.

    At the risk of sounding 'hostile' why don't you back off the "one attempt and you're locked out" mentality? Be kinder, gentler and give them at least three attempts to login before locking them out. It is a fair compromise from the all or nothing stance.

    Why? Because this:

    If you examine the Wordfence logs you'll discover that nearly all of the hack login attempts are from bots.

    You've answered your own question.

    And you assume I don't already have a forgiving lock-down setup for bad typists. I do. But there's a reason why WordFence provides both options--to block invalid usernames and to allow only a certain number of bad logins--and there's a reason why WordFence allows them to work simultaneously: because they address different aspects of the problem. We're merely pointing out ways for the "lock out invalid usernames" functionality to be more useful to many people who run WordPress sites.

    At first they use 'admin', but over time they try different user names--most of which are variations of poster's names.

    I've probably managed over 30 WordPress sites in my time and currently manage 8 active ones, all with WordFence installed, and I've never seen this. The ones that get blocked for excessive login tries are always using "admin" or "administrator". Once, someone tried "guest".

    Instead of sounding like a defensive WordFence developer, maybe you should try to understand why the people asking for this functionality want it. That's all I'm saying. Maybe some have already tried all the alternative approaches you think we haven't bothered to consider, yet we still think it would improve WordFence to add the ability to immediately block specific usernames--especially "admin" and "administrator"--instead of a catch-all "lock out invalid usernames".

  28. hehafner
    Member
    Posted 2 weeks ago #

    From my perspective, if there were a way to disable anyone from using the login of 'admin' or 'administrator' when registering, that would be awesome. Or create a couple of different choices. For instance, make a toggle that cuts off admin logins after one attempt but other logins after 3-5 attempts. I have clients on the road all the time. They blog from various locations. If they f-up their login multiple times and are locked out, they call or email me to unlock. I ask them to identify their IP address by using a source like http://whatsmyip.org. I then go in in and identify their attempts and unlock them. A one time error like this is a freebie...but if they continue to do it, I charge them my going rate.

    But whether the Wordfence crew decide to do this or not is irrelevant. Yes, this might make some web designer/developers lives easier, but if it comes down to your REAL users forgetting their usernames... my feeling is that if it's a one time thing... BFD!! If it's every time they travel, train them by charging them! They'll learn!

    What I would like to see is a better security experience where a registered user could have more than just "Forgot Password" as an option. What about "Forgot Username"? Anyway, that's probably not a Wordfence problem, but a WordPress consideration.

  29. sgpark
    Member
    Posted 2 weeks ago #

    From my perspective, if there were a way to disable anyone from using the login of 'admin' or 'administrator' when registering, that would be awesome.

    WordFence already does this for "admin". Just check
    "Prevent users registering 'admin' username if it doesn't exist"
    For anything more complicated, you might try https://wordpress.org/plugins/restrict-usernames/

    I have clients on the road all the time. They blog from various locations. If they f-up their login multiple times and are locked out, they call or email me to unlock. I ask them to identify their IP address by using a source like http://whatsmyip.org. I then go in in and identify their attempts and unlock them. A one time error like this is a freebie...but if they continue to do it, I charge them my going rate.

    I'm not really interested in trying to find excuses to charge my clients for things like this. Anything that requires me to be "on" all the time is simply not worth the fee that I would be able to charge. My login cutoff is forgiving enough unless they're really drunk or something, in which case, they understand that I can't be on hand to fix things until a reasonable business hour.

    if it comes down to your REAL users forgetting their usernames... my feeling is that if it's a one time thing... BFD!! If it's every time they travel, train them by charging them! They'll learn!

    Once again, what people are talking about here is ways to improve targeting logins you IMMEDIATELY want to lock down. People forgetting their usernames isn't really in the scope of the discussion, and WordFence already provides adequate options for dealing with legit users who are bad typists.

  30. Storyman
    Member
    Posted 2 weeks ago #

    ...and you call me defensive.

    Let's be clear. Like you, I'm an end user and have no association with Wordfence. In the past, I've made suggestions to the Wordfence developers. Some suggestions sounded good when I first suggested them, but later realized it wasn't really practical. Others held up after careful review and were implemented or on the ToDo list.

    The Wordfence developers are smart guys who appreciate the needs of end users and also have a clear understanding on what hackers do and how they do it. When it comes to this point I think they are way smarter about it than either of us. In other words, give the Wordfence developers credit for listening to user's ideas and being able to discern their worthiness. They are not going to respond to any form of bullying.

    Maybe you should consider unticking the option to immediately lockout wrong user names. You won't lose any ground to the hacker bots by giving them three tries to login before locking them out. For the length of time for the lockout is something you'll need to play with.

    We're going to have to agree to disagree about hacker bots attempting user names other than "admin", "administer", or "guest". I can't explain why you haven't noticed this behavior, but assure you that it has been observed over a dozen and a half of my own sites and doubt that it happens only on my sites.

    In the end it doesn't matter what either of us think (although, I strongly urge you to give users three attempts to login, but that is just my opinion). The Wordfence developers will take your idea into consideration...or not. All you need for them to seriously consider your idea is a cogent presentation of the benefits to the end user. Just because I don't agree with your viewpoint doesn't mean the Wordfence guys won't embrace your idea(s). If they don't maybe you should take time to reconsider another plugin like Login Lockdown. One thing I do like about this plugin is that it doesn't require the resources that Wordfence does (some have removed Wordfence and its tables and report their site loads much faster--something you can check for yourself.)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic