Hi,
I know there are plugins out there that can disable the password reset form. You might want to do a search and see if one fits your needs.
I think you are well protected. First, the attackers are tying to access the reset password page for users that do not exist so there is no password for them to change. Second, WordFence is restricting the attackers by locking them out when they use an invalid name to try and login to the password reset page.
Hope that helps,
-Brian
If you mean that I feel better because they use nonexistent usernames you are dead wrong. That you do not get a warning message for existing users, does not mean there are no attacks. This is a totally “flawed sense of security”.
I doubt I am the only one with this issue and would have preferred if I read “Um, not right now, but we will see if we can add this at some point” over suggesting a different plugin. For me stuff like this is way more essential than adding “cache” functionality. But it is just my 2 cents.
Thanks
Hi,
Sorry for not being clearer. My point was that there are plugins out there that only restrict access to the password reset form. Since we do not offer that currently, using one in addition to WordFence might get you the functionality you are after now. I can definitely add your suggestion to our list. We evaluate all user suggestions but cannot guarantee a feature will be added.
It is very concerning that there are constant attacks on websites. Before I used WordFence, I had no idea how much my sites were being attacked. We’ll never be able to stop the attacks, but we can take precautions to limit the risks. Not having a user named “admin”, using strong passwords, keeping themes and plugins up-to-date, using protection like WordFence are all examples of tactics to limit the risk. I’d be much more concerned if attackers were trying to access your site with actual user names in your database. The tactic you are seeing is basically guess a username and if it exists, attempt to break the password. To my point, since the user they are attempting to use does not exist in your database, they cannot use it to access your site.
-Brian
Hello Brian,
I did not mean to sound rude or so. I am just concerned. My site runs since 1997/98 and I am aware of the hacking and scanning. In the old times you could still send a complaint via CERT or contact the provider, but today there are just too many attacks.
Anyway thanks for providing wordfence, I used to use another plugin, but I am quite happy with it.