Hi @bedas, thanks for getting in touch and I’m pleased you’re enjoying Wordfence.
The latest version of reCAPTCHA is designed to be non-invasive where possible, so does not force the visitor to identify pictures or words if it’s certain you are human as stated in your settings. It may require extra verification from a visitor if the score is lower than 1. If the logo is showing and you’re not experiencing login or Javascript errors preventing you from using the site normally, I believe it is correctly set up. We aren’t in a position to be informed as to how Google’s algorithm comes to its conclusion on scoring site visitors but it certainly seems correct in your case.
In addition to reCAPTCHA, keeping your passwords secure (as it sounds like you’re doing), enabling 2FA and keeping your plugin/WordPress versions up-to-date are the most important actions you can take when also running Wordfence.
Thanks,
Peter.
Thread Starter
Beda
(@bedas)
Hi @wfpeter and thanks for the reply
It makes sense what you say, I usually use v2 so I wasn’t used to this non intrusive method that comes with v3. At least we don’t need to pick the bicycles anymore 😂
Unfortunately it seems the attacks are performed by advanced bots (or humans?), as I still get approx 30 login failure mails daily. It’s less than before, but didn’t stop.
I had hoped the captcha would recognize them, however it seems bots evolved, I’ve read up a few articles and it seems actually new AI bots can easily bypass the v3 captcha just as the v2 (using captcha farms or what not, it seems the bad guys develop just as fast as the good guys).
I’ll add 2f Authenticator – that’s a good idea to be sure no one logs in unintentionally which I missed.
I was hoping to stop the bots for good.
I’m thinking of setting up a honeypot and obscure the login url with a random string, I mean, that should hopefully make it harder for them to guess the actual url / form location to log in/ attempt to log in and if I do it smart I can loop the bots somehow to a dead end.
Do you have any other suggestions how I could kill the attacks for good? It’s also a performance issue, after all these attempts use bandwidth and fill up the logs with the blocked IPs…
Of course my biggest hope would be to catch the guys and have a serious word but that’s more a Hollywood dream than reality 😓
Any input will be greatly appreciated!
Hi @bedas,
If a bot (or human) tries to log in using your username and fails repeatedly, they should experience blocking according to the strength or leniency your Brute Force settings.
WordPress to this day does not intend to hide your username and does not consider the intentional leaking of usernames to be a security problem. Instead their recommendation is to use strong passwords and two factor authentication to secure your login page, rather than obscure your username. You can read more about this here:
https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue
For example, Dion Hulse, a core contributor to WordPress, explained the reasoning behind leaked usernames:
“It has been stated in previous tickets, ‘leaking’ of the username is not deemed a security issue by WordPress.org, as it’s a conscious decision to use the username as the slug in the URL”
The current stance on this is also evident in the WordPress Codex regarding “Access Control”:
“One of the top two attack vectors used by cyber criminals is software vulnerabilities and access control. To combat this you must secure any point of entry into your host, WordPress installation or server. This includes employing strong passwords and enabling some form of Multi Factor Authentication.”
Brute force login attacks are one of the most common attacks that we see and is normal. We see millions of brute force login attempts per hour on WordPress sites protected with Wordfence. Here is a blog post explaining why hackers are interested in your site and then steps you can take to keep your admin account protected: https://www.wordfence.com/blog/2018/03/ask-wordfence-why-is-an-insignificant-site-like-mine-being-attacked/
To keep yourself protected we ask users to set very strong passwords, 2FA and reCAPTCHA which sounds like your plan anyway. You could also carry out the following if you haven’t already done so:
– Set our recommended brute force protection rules. Instructions are in the link below. You can quickly find these options in the Brute Force Protection section on the All Options page: https://www.wordfence.com/help/firewall/brute-force/
I hope this helps you out in understanding what’s going on here. If you’d like to look into other Wordfence features, our help documents are a great resource: https://www.wordfence.com/help/
Thanks again,
Peter.`
Thread Starter
Beda
(@bedas)
Thanks @wfpeter for the comprehensive reply.
About obscuring the username – I agree this would be silly since the author archive simple and plain leaks it.
I meant the actual admin url/login url
One of the reasons WP is such a high target in attacks is, “they” know our login urls.
It’s always the same, so its easy to call any site and append /wp-admin to be directed (without the need of discovering it) to the login form.
So if I am to obscure that, I guess the automated attacks at least would have a harder time.
It’s actually interesting that none of the attacks yet even tried with my username – this is also why I am not worried “they” will ever get in, apart of the almost-impossibility to guess our passphrases.
I have added 2F now as well and will as soon I have the time try the trick with changing the login/admin paths, I’ll feedback here if I see significant decrease in failed logins after that.
Thank you again for the great help!
