WP Security Audit Log
[resolved] feature request - re failed login attempts (4 posts)

  1. friedVol
    Posted 1 year ago #

    I've been happily using WP Security Audit log since version 0.4. I'm now using v.1.1.1.

    RE failed login attempts: until a couple-three versions back, the Audit Log Viewer used to give the message, "Failed login detected using XYZ as username" with XYZ standing for whatever username was being used to login. If more than one login was attempted, then the number of attempts was included in the message.

    Now all we get is "1 failed login detected."

    Would you please go back to giving us the username? I found it instructive to know when someone was using my username to attempt a login.

    I wasn't terribly worried when the failed logins used admin as the username. I got very concerned and changed some things when the failed logins used my actual username. Now the failed attempts are increasing again. I want to know if they already have half of the login figured out or not.

    Thanks for listening.


  2. robert681
    Plugin Contributor

    Posted 1 year ago #

    Hi friedVol,

    Thanks for using and supporting our plugni.

    We still report the same amount of details but in a different way. Let me explain:

    Imagine you have a WordPress installation with just the user "admin" on it. If someone tries to login using such a user, the following alert will be reported:

    Username: Admin
    Role: administrator
    Alert: 1 failed login(s) detected

    If multiple failed logins are detected for that username, the number of failed logins will increase.

    In the meantime if someone tries to login using a username "ruby", which does not exist on your WordPress, the following will be reported:

    Username: unknown
    Role: unknown
    Alert: 1 failed login(s) detected

    Therefore when the user and roles are reported as "unknown" it means that the username the attacker is using to try to login does not exist in your WordPress, hence there is not much to worry about.

    On the other hand if there is a failed login alert and the username is reported, it means that it exists on WordPress hence the attacker might have guessed the username already.

    While I trust the above answers your query, do not hesitate to get in touch should you have any further queries.

  3. friedVol
    Posted 1 year ago #

    Ah, now I see. Thanks for the explanation. The username/role info is now in a different column on the event line. And I'm getting the publicly displayed name instead of the username. It's all good.

    But what does it mean when the Role is "System" as in:
    Username/publicly displayed name: Unknown,
    Role: System
    Alert: failed login(s) detected

    What does a System role allow? It's not on my dashboard's list of Roles. How can I get a System role?

    What does it mean when I log in and sometimes it says my role is Administrator and other times it says my role is Unknown - yet I've never changed my role? And my logins were always successful.

    Yes, I've noticed that when another Administrator on my site has a failed login attempt it shows as his publicly displayed name and the role is Unknown. That user confirmed that it truly was he who was trying to log in. The username was correct, but the password was not. ...But this is not my situation. I should say this happened several times in May, but not yet in July.


  4. WPWhiteSecurity
    Plugin Author

    Posted 1 year ago #

    When in the role you see "system" it means that WordPress itself generated that error, i.e. there is no user and there is no role.

    Since the username used to try to login to WordPress does not exist, then the "default" role is reported in this case.

    As regards the other issue, where the actual user role is not reported, especially since it seems to be an intermittent issue it is quite difficult to troubleshoot via the form. Drop us an email on plugins@wpwhitesecurity.com and we will gladly look into it with you.

    Looking forward to hearing from you.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic