Hey @kokkel,
Can you please share a screenshot of your Immediately block the IP of users who try to sign in as these usernames settings and of the continued attacks in Live Traffic? Please expand the Details in Live Traffic so you can get a full view of what’s happening.
Thanks,
Gerroald
Thread Starter
Gert
(@kokkel)
Hi Gerroald,
As much as I would like to, this forum does not seem to have the option to share screenshots. As far as the Live Traffic goes, the typical message is:
Istanbul, Turkey attempted a failed login using an invalid username “admin”. https://sitename/wp-login.php
6/14/2019 8:50:06 PM (40 minutes ago)
IP: 185.84.180.48 Hostname: bhl-2.bilintel.com
Human/Bot: Human
Browser: Firefox version 62.0 running on Linux
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
The settings of the “immediate block of IP users” is pretty straight forward to: I entered “admin” in the big block and I hit enter. The “admin” moved to the bottom under the box. I also tried to block “adm”, “administrator”, “login”, “support”
Does this help?
Gert
-
This reply was modified 7 years ago by
Gert.
Hey @kokkel,
My apologies for the delayed response.
Can you please check your Brute Force settings to ensure they’re still enabled?
Thanks,
Gerroald
Thread Starter
Gert
(@kokkel)
Hi Gerroald,
Thanx for coming back to me.
Yes, the Enable brute force protection-option is still set to ON.
Gert
Hey @kokkel,
I’m rereading everything to make sure I haven’t missed anything.
It seems the IP is getting blocked from what you shared. Is it the same IP that keeps trying, this is why I was wanting to take a look at the Live Traffic page.
If it is the same IP, what do you have Amount of time a user is locked out set to, and does it seem to be respecting that timeframe?
Thanks,
Gerroald
Thread Starter
Gert
(@kokkel)
Hi Gerroald,
I get a lot of login attempts from all kind of different IP addresses. Today seems to be a bit of a bad day with some 40 attempts from 40 different IP addresses in the past 6 hours, but that is the general picture. I guess it is not really a security issue as the user “admin” does not exist. Still, I wonder why the blocking option does not work.
Thanx,
Gert
Hey @kokkel,
Can you please try using a screenshot service similar to the one below that allows you to share screenshots via links versus uploads? I’d really like to see your settings and screenshots of the Live Traffic entries with their Details expanded.
https://www.awesomescreenshot.com
Thanks,
Gerroald
Thread Starter
Gert
(@kokkel)
Hey @kokkel,
Do you see any blocks for these IPs?
Even if you immediately block an IP for trying to log in as admin that doesn’t stop them from trying again. The only way to do that would be to drive to their physical location and unplug the cord on the computer the attempt comes from. The point is that they are blocked when they try.
Please let me know.
Thanks,
Gerroald
Thread Starter
Gert
(@kokkel)
Hi Gerroald,
No, the problem is that, although I set the option to block the IP of users who try to sign in as “admin” WordFence does not seem to block users who try to sign in as “admin”. Or any of the other defined usernames.
The next time this user would try to login as “admin” it should be immediately blocked again. Otherwise I comnpletely misunderstand this functionality of WordFence.
Having said all of that: I removed all of the “invalid” usernames I previously defined and than I reinserted only the “admin” username. Now it seems to work. Buhh.
I did not try to add additional “invalid” usernames again yet.
Thanx,
Gert
