Attempt with invalid username but isn’t locked out

ianhsieh
(@ianhsieh)

5 years ago

Hi there,

I’m using the free version of Wordfence, and currently one of my setting is to have IP address locked out if someone attempts to login with an invalid username. But my client reports that someone tries to login with the same invalid username ‘cocoplumcay’ with same IP address but isn’t locked out immediately; moreover, they attempted with 10 minutes intervals for 4 times when they should be locked out for 2 month on their first try.
However, when I tried to login with the same invalid username with a different IP address, I got locked out. So why is someone able to try to do that when they should have being locked out on their first try? The site was recently hacked, though it was restored, my client is still nervous about this.

Thanks,
Ian

The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)

wfdave
(@wfdave)

5 years ago

Hi @ianhsieh,

Can I have you take a look at the Wordfence settings?

Please go into Wordfence -> All Options, find these values:

– Immediately lock out invalid usernames (is this checked?)

– How long is an IP address blocked when it breaks a rule (is this 4 hours or longer?)

– Amount of time a user is locked out (is this 4 hours or longer?)

Could you also take a look at How does Wordfence get IPs? Do you have any trusted proxies (click + Edit trust proxies to check)? Is your IP being properly detected there?

Dave

Thread Starter ianhsieh
(@ianhsieh)

5 years ago

Hi Dave,

– Immediately lock out invalid usernames (is this checked?)
Yes, it’s checked.

– How long is an IP address blocked when it breaks a rule (is this 4 hours or longer?)
It’s set to 6 hours.

– Amount of time a user is locked out (is this 4 hours or longer?)
It’s set to 2 months.

– How does Wordfence get IPs
I use the recommended option “Let Wordfence use the most secure method to get visitor IP addresses. Prevents spoofing and works with most sites.” When I tried with a nonexistent username, I use a server that I have RDP access to, and is locked out, with the IP listed in the block list.

——————————

Here is a screenshot of the log of my website: https://snag.gy/Qiu3Vf.jpg
As you can see, an anonymous user attempted to login with an nonexistent username, but the IP address is not blocked. They continue trying to login with the same nonexistent username.
A different event shows up last night, and none of the IP address are in the block list even though they only tried once. https://snag.gy/3porGt.jpg

Thanks,
Ian

wfdave
(@wfdave)

5 years ago

Hi again,

I took a look at the screenshots, and I noticed something strange.

On the right side of the logs, all of the IP addresses ended with .0.

For example:

– 166.248.231.0
– 142.93.103.0
– 178.128.170.0
– 13.59.171.0
– 185.192.69.0

IP addresses connecting to your website cannot end in .0.

So I suspect that multiple IP address that begin with the same digits is attacking your website.

Can you go into Wordfence -> Tools -> Live Traffic, to see if multiple IP addresses are showing up?

For example:

– 178.128.170.2
– 178.128.170.3
– 178.128.170.4
– 178.128.170.5
– 178.128.170.etc

Dave

Thread Starter ianhsieh
(@ianhsieh)

5 years ago

Hi Dave,

Here is a screenshot of part of the live traffic page.
https://snag.gy/3r1Nw2.jpg

I can see that there are more attacks happening than what our log can record, but I don’t see multiple addresses of the same starting digits showing up. For example, I see 13.59.171.57 showing up multiple times, but I on’t see 13.59.171.XXX showing up elsewhere.

Also, the IP address shown to be block in this list doesn’t seems to match the one in the block list either (https://snag.gy/bR6BgJ.jpg). Are they blocked or not?

Thanks,
Ian

[ Please do not bump. ]

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Attempt with invalid username but isn’t locked out’ is closed to new replies.