There’s a bot network that tries a list of usernames fed to them from the darkweb, “indoxploit” is on that list. I’ve seen that name attempted on my sites many times.
The bot net is using VPNs, so even if you have WordFence configured to immediately lock out invalid usernames, WordFence will lock out that username but the botnet will use a VPN to try and attack from another IP.
When WordFence says it will block the username what they mean is they will block that IP address that attempts that username. If the botnet changes IP addresses through a VPN and tries the same username, there’s nothing WordFence can do about that other than block it the next time they try again. Either way WordFence is doing it’s job. There’s not much you can do either. It’s frustrating but it’s the nature of the Internet.
If you’re getting hit, it means your IP is on the list now too so you’ll see more activity. Either you had malware on your server at one point, or your are on a shared server and another site on your shared IP had malware. Either way someone on your IP or that had your IP address earlier had malware and triggered being added to the “attack this server” list for the botnets to hit, that’s why you’re seeing attempts.
But don’t fret, as long as you have your WordFence policies set properly, they will not get in.
Thread Starter
Bev
(@bstofko)
My issue is that the login attempts were not actually blocked, they were logged as failed login attempts but were not blocked.
Thread Starter
Bev
(@bstofko)
I did a lot of digging and added some logging to try to understand what was happening. I discovered that the login attempts that are not being blocked are made with an empty password. I wonder whether these attempts should be blocked due to the invalid username, rather than giving the 200 success return and the standard WordPress “ERROR: The password field is empty.” page. I am not sure why these bots are attempting logins with blank passwords.
I think it would be helpful if the Live Traffic display contained a bit more information.
Currently I see this when an invalid username/empty password is attempted:
Type: Failed Login West Palm Beach, United States attempted a failed login using an invalid username “Admin”.
A better message would include $authUser->get_error_code():
Type: Failed Login West Palm Beach, United States attempted a failed login using an invalid username “Admin”, failed due to empty password.
Or event better:
Type: Blocked West Palm Beach, United States attempted a failed login using an invalid username “Admin”, failed due to empty password.
