WordPress.org

Ready to get started?Download WordPress

Forums

Wordfence Security
[resolved] Permanent Block when attempted login using "admin" (8 posts)

  1. photaust
    Member
    Posted 3 months ago #

    Hi All,

    I am astounded by the number and frequency of attempted unauthorised logins across all my WP sites with "ADMIN" being submitted as the username.

    Is there a way to automatically and permanently block the IP of all visitors who attempt to login using "admin" ?

    If not, this would be a very handy addition to any future upgrades.

    Cheers,

    Anthony

    https://wordpress.org/plugins/wordfence/

  2. RobinInTexas
    Member
    Posted 3 months ago #

    Simply check off "Immediately lock out invalid usernames" under options. Unless you have "ADMIN" as a user, they only get one attempt before they are blocked for up to 60 days. The important thing is to use strong passwords and use a low number or failed login attempts. I have been getting attempts blocked for the actual (obfuscated) admin user which is something like "hez3%QFJ35".

  3. photaust
    Member
    Posted 3 months ago #

    Hey Robinin Texas,

    Thank you for your message.

    I looked at that option. The only problem is that I run a membership site and often legitimate mistakes are made be members entering their username incorrectly. It would cause even more issues if these guys had their IP permanently blocked when this happens.

    For this reason, it would be great is Wordfence enabled a feature whereby we could nominate the specific common hack usernames such as "admin" to permanently block.

    Cheers,
    Anthony

  4. DavidBrugge
    Member
    Posted 3 months ago #

    Users have been begging for this feature for ages.

    In fact, the long going thread is marked resolved although the problem was never addressed. Mark (Wordfence author) commented early in the thread with the suggestion of blocking everyone that makes an attempt that is not recognized as a user.

    It has been pointed out time and time again that this method penalizes those who make mistakes typing or who momentarily forget their username. This forces users, if they are not the only useer, to balance between security and usability. There should be no need for this.

    I have to conclude that for some undisclosed reason, this is difficult to implement (I can't imagine why that would be) or that Mark just doesn't care.

    I also have a personal correspondence with Mark, asking for this feature. He responded that he would look to adding it to a future update. That was many, many updates ago.

    I started out as a huge fan of this product, bought multiple site licenses and talked it up at WP user's group meetings. When I saw how many people were clamoring for this feature, I assumed that it would be just a release away, then another release, then another.

    Now I'm pissed. I am sick and tired of the dozens and dozens of email alerts telling me that user 'admin" at such and such IP has been blocked. I routinely scan my alerts for any of my client's having problems accessing their sites. How to I spot an alert with essential information? If I limit the number of alerts, how do I know I won't miss an important one.

    This is such an easy bone to throw, it seems like Mark and company are too wrapped up in their success and in their development to concern themselves with trifling things like customer service.

  5. webby1973
    Member
    Posted 2 months ago #

    I agree with the request, it would be really helpful an option to automatically block "admin" and other unwanted names (a field where the real admin can enter a list would be fine), for a given time.

  6. black lion
    Member
    Posted 2 months ago #

    This I wha looking fot to. Now I got it. Tnx Robin Texas.

  7. Wordfence
    Member
    Plugin Author

    Posted 2 months ago #

    For this reason, it would be great is Wordfence enabled a feature whereby we could nominate the specific common hack usernames such as "admin" to permanently block.

    This will be in the next release. But don't take my word for it. My co-founder Kerry posted this about 20 minutes ago:

    http://wordpress.org/support/topic/large-number-of-failed-logins?replies=3#post-5545076

    @DavidBrugge My humble apologies sir. As an advocate for our product I'd like to assure you that we're not resting on our laurels and are taking note of your feedback. There were some core features and fixes we needed to get into the product before we could get on to other feature requests and these caused a delay in us implementing this feature. I can assure you that it will be in the next release and the timeline for this is that we will be releasing a Beta on approximately Friday this week with the production version coming out the following Sunday or Monday depending on how many issues are reported by our Beta testers.

    I'm a bit nervous about marking this resolved, but I'm going to go ahead and do that and please trust me that this will be in the next release.

    Regards,

    Mark.

  8. Wordfence
    Member
    Plugin Author

    Posted 2 months ago #

    This feature has been implemented and will be released in the Beta release going out tomorrow and into production later this weekend or Monday.

    Regards,

    Mark.

Reply

You must log in to post.

About this Plugin

About this Topic