• Resolved MyrddinDE

    (@myrddinde)


    I am getting more and more accesses to the Reset Password Form for nonexistant users. I am the sole user on the system and would like to deactivate the disable password form, or restrict access via .htaccess (I could reset this if I actually ever need to reset the password).

    Do you have any ideas how I could do this? I did limit the access to wp-login.php Is that enough and I am too paranoid?

    <Files wp-login.php>
            AuthUserFile /xxxxx/.lnsdfn08
            AuthName "Red Light District"
            AuthType Basic
            Require valid-user
    </Files>

    Background for my nervousness is:

    A user with IP address xxx.yyy.zzz.xxx has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username ‘admin’ to try to sign in.
    User IP: xxx.yyy.zzz.xxx
    User hostname: xxx_yyy_zzz_xxx.rev.poneytelecom.eu
    User location: France

    https://wordpress.org/plugins/wordfence/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Hi,

    I know there are plugins out there that can disable the password reset form. You might want to do a search and see if one fits your needs.

    I think you are well protected. First, the attackers are tying to access the reset password page for users that do not exist so there is no password for them to change. Second, WordFence is restricting the attackers by locking them out when they use an invalid name to try and login to the password reset page.

    Hope that helps,
    -Brian

    Thread Starter MyrddinDE

    (@myrddinde)

    If you mean that I feel better because they use nonexistent usernames you are dead wrong. That you do not get a warning message for existing users, does not mean there are no attacks. This is a totally “flawed sense of security”.
    I doubt I am the only one with this issue and would have preferred if I read “Um, not right now, but we will see if we can add this at some point” over suggesting a different plugin. For me stuff like this is way more essential than adding “cache” functionality. But it is just my 2 cents.

    Thanks

    Hi,

    Sorry for not being clearer. My point was that there are plugins out there that only restrict access to the password reset form. Since we do not offer that currently, using one in addition to WordFence might get you the functionality you are after now. I can definitely add your suggestion to our list. We evaluate all user suggestions but cannot guarantee a feature will be added.

    It is very concerning that there are constant attacks on websites. Before I used WordFence, I had no idea how much my sites were being attacked. We’ll never be able to stop the attacks, but we can take precautions to limit the risks. Not having a user named “admin”, using strong passwords, keeping themes and plugins up-to-date, using protection like WordFence are all examples of tactics to limit the risk. I’d be much more concerned if attackers were trying to access your site with actual user names in your database. The tactic you are seeing is basically guess a username and if it exists, attempt to break the password. To my point, since the user they are attempting to use does not exist in your database, they cannot use it to access your site.

    -Brian

    Thread Starter MyrddinDE

    (@myrddinde)

    Hello Brian,

    I did not mean to sound rude or so. I am just concerned. My site runs since 1997/98 and I am aware of the hacking and scanning. In the old times you could still send a complaint via CERT or contact the provider, but today there are just too many attacks.

    Anyway thanks for providing wordfence, I used to use another plugin, but I am quite happy with it.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Reset Password Form’ is closed to new replies.