That [login] username, again

  • Resolved cjlweb

    (@cjlweb)


    4 years, 10 months ago

    This topic has come up several times but I don’t think I’ve seen a definitive answer, yet.

    I am using the free version of Wordfence. Looking at the Login Attempts report on the Firewall page, I continually see failed attempts of the form:

    [login] 212.114.109.112 25 June 2021 07:52
    [login] 180.250.28.34 25 June 2021 06:53
    [login] 167.99.231.12 25 June 2021 06:34
    [login] 138.68.6.231 25 June 2021 06:16

    The reported user name is, literally, [login]. There are hundreds of these every month, far more than the usual attempts from ‘admin’ and other common usernames, and they seem to come from random IP addresses rather than the same one or an identifiable few.

    What is the significance of the square brackets around the user name? Is this a special notation that Wordfence is using in its report? If so, what is it trying to tell me?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support WFAdam

    (@wfadam)

    4 years, 10 months ago

    Hello @cjlweb and thanks for reaching out to us!

    This is simply the result of poorly written code from the attackers. Typically a bot will insert usernames into the [login] field but if the script isn’t written correctly, in this case, you will just see [login]. This kind of traffic is sadly nothing new to WordPress or any platform.

    You should have nothing to worry about as long as you don’t have an actual [login] on your site.

    Let me know if you have any questions!

    Thread Starter cjlweb

    (@cjlweb)

    4 years, 9 months ago

    Thanks for the explanation, @wfadam. That clears it up (worth a small note in the documentation, perhaps?) Reassuring to see WordFence doing its job.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘That [login] username, again’ is closed to new replies.