On the one-sheet options page “Options” in sidebar, use browser search for “Brute Force Protection” and be sure it’s enabled. MTN
Brute Force Protection is enabled and I am using the option “Lock out after how many login failures” set to 2 attempts. I can set the other options under Brute Force Protection, but I cannot enter any usernames to block.
On the “Options” page I see a checkmark button next to the user names dialog. You got that enabled as well? If so, I guess we’ll have to wait for the Wordfence guys to help. MTN
The checkbox is for Immediately lock out invalid username. That is a different function to block any invalid username guesses but also blocks username typos made by valid users.
The text area is for a blacklist to block specific usernames such as admin.
I cannot enter any text in the text area, whether the checkbox is on or off.
Apologies, I got confused, my own fault as the Wordfence UI is flawless 🙂 MTN
Are you able to add a banned username such as Hacker to the blacklist text area?
Thanks. Maybe I have some compatibility problem with another plugin interfering.
Yeah, do the easier trouble shooting tips first, if you can just disable all other plugins while experimenting, that’s always best. Perhaps Wordfence folks can chime in here. Sounds like a frustrating issue. MTN
Hi @mountain-hiker-1,
Indeed, this could be related to some conflict with the theme you’re using or plugins installed on your site.
Can you see any errors in the browser console?
I recommend the “Health Check” plugin which allows you to disable all plugins and switch to a default theme, but only for your user.
In Chrome browser console, I see this error message:
Uncaught TypeError: Cannot read property ‘hasClass’ of undefined load-scripts.php?c=1…d07202ff4b0cae1:246
at HTMLDocument.<anonymous> (load-scripts.php?c=1…d07202ff4b0cae1:246)
at HTMLDocument.dispatch (load-scripts.php?c=1…24d07202ff4b0cae1:3)
at HTMLDocument.r.handle (load-scripts.php?c=1…24d07202ff4b0cae1:3)
at Object.trigger (load-scripts.php?c=1…24d07202ff4b0cae1:3)
at Object.a.event.trigger (load-scripts.php?c=1…24d07202ff4b0cae1:9)
at HTMLDocument.<anonymous> (load-scripts.php?c=1…24d07202ff4b0cae1:3)
at Function.each (load-scripts.php?c=1…24d07202ff4b0cae1:2)
at a.fn.init.each (load-scripts.php?c=1…24d07202ff4b0cae1:2)
at a.fn.init.trigger (load-scripts.php?c=1…24d07202ff4b0cae1:3)
at Object.<anonymous> (load-scripts.php?c=1…d07202ff4b0cae1:245)
Hi @mountain-hiker-1,
Could you please add the following line of code to your “wp-config.php” file:
define('CONCATENATE_SCRIPTS', false);
Be sure to add it before the line that says: /* That’s all, stop editing! Happy blogging. */
The issue could be related to a plugin conflict from WordPress combining scripts.
I updated to WordFence 7.1.0 released today. Had the same problem.
I added define(‘CONCATENATE_SCRIPTS’, false); to wp-config.php file. Had the same problem.
I am able to enter text into other option fields, but I cannot enter text into the username blacklist text area. My mouse pointer remains an arrow symbol (Normal select) when I click or hover over the area. It does not change to the Text select (I-beam) symbol to allow me to enter text.
This is not an urgent matter for me. I noticed that some hacker from India was trying to login using username admin. But that is not a valid username on my WP site, so they can’t get in. Rather than me manually blocking the IP address, I wanted to add username admin to my blacklist so that the IP address of any hackers using admin would be automatically blocked.
I will do some more troubleshooting this weekend by disabling other plugins to look for a plugin conflict problem.
I am running PHP 7.1 on GoDaddy. No other current website problems.
Chrome browser console error message has changed to:
Uncaught TypeError: Cannot read property ‘hasClass’ of undefined wp-auth-check.min.js…24d07202ff4b0cae1:1
at HTMLDocument.<anonymous> (wp-auth-check.min.js…24d07202ff4b0cae1:1)
at HTMLDocument.dispatch (jquery.js?ver=1.12.4:3)
at HTMLDocument.r.handle (jquery.js?ver=1.12.4:3)
at Object.trigger (jquery.js?ver=1.12.4:3)
at Object.a.event.trigger (jquery-migrate.min.js?ver=1.4.1:2)
at HTMLDocument.<anonymous> (jquery.js?ver=1.12.4:3)
at Function.each (jquery.js?ver=1.12.4:2)
at a.fn.init.each (jquery.js?ver=1.12.4:2)
at a.fn.init.trigger (jquery.js?ver=1.12.4:3)
at Object.<anonymous> (heartbeat.min.js?ver…24d07202ff4b0cae1:1)
I had a weekend brute force attack trying to login with username admin that does not exist on my website. Botnet IP locations from multiple countries including ch, cz,de,es,gr,it,kz,nl,nu,pl,pt,ru,sk,ua,vn,za and many from GoDaddy IP addresses.
I manually blocked IP addresses that were reported as failed logins. I have a local business, so I do not need any foreign country access, and only do occasional business with out of state customers.
While experimenting, I created a second admin account with a long strong username and password. When I logged in to the second admin account, I was able to change the brute force protection settings to blacklist common usernames used in guessing attacks.
I did not disable any plugins. So, I have some unknown problem with my first admin account, but no problems with my second admin account.
By using the second admin account, I was able to change the settings and solve my problem.
