Hi @wandriska,
Did you enable the Login Security feature?
Have you set any Rate Limiting rules?
Can you see failed login attempts?
Are there any blocked IP displayed on the “Wordfence –> Live Traffic” page
Thank you for your response.
Yes, all that has been done as well as the the login security limits have been set up.
There is NOTHING in Blocked IPs . ( I use Wordfence on 3 sites and a familiar with its operation and setup. )
I find this all very disconcerting.
I have no idea how this can be happening..
What is your advice. My feeling now is to uninstall it as this software appears useless.
Hi @wandriska,
Wordfence can not stop people from trying to access your wp-login page, but it will block them from going any further.
At this stage you need to check the raw access logs and find the response code to see if the requests were blocked or not. A 503 or 403 code will indicate a blocked visit.
For those of us who would like to help, what specific behavior do you expect from Wordfence, that it’s not delivering? MTN
@wyfann. I believed that WF would stop brute force attack. Are you saying that the what happened – as MDD hosting explained above is something that WF can’t/doesn’t deal with???
Where can I find the raw logs on the updated version?
@mountainguy2. I expect WF to not allow brute force attacks – look at data above that I quoted… is that ok?
-
This reply was modified 6 years, 7 months ago by wandriska.
The logs are not kept for more than 24 hours.
The double log in installed will be lifted to see if problem reoccurs,,then logs will be kept.
It sounds like you simply need to experiment with and learn the Wordfence Options, especially those pertaining to login. In any case, no matter what Wordfence does, if you are getting a brute force attack on wp-login.php you will still see all the hits, it’s just that they’ll be blocked to one degree or another depending on your Wordfence settings. Thing to remember is if you are receiving brute force attack, and your username/password are impossible to guess, you have already “blocked” the attack no matter what security software you use, or do not use. If you set up Wordfence to “block” for example a login attempt with wrong user name, you get a block on that IP which can be nice as they’re not allowed to attack using that IP, but you might still get hits from that IP that will show in logs, etc.
By the same token, you can simply hide your login screen from the bots and you’ve “blocked” the attack, but you’ll still see the traffic in your logs.
This is all quite confusing in my opinion, as some of it involves terminology, as in what really is a “block?” And when does that block occur in terms of the software stack on your server? For example, you might have a server firewall that can block traffic long before it is ever seen by Wordfence.
In the end, a lot of this “blocking” game could best be viewed by evaluating what uses the least bandwidth. For example, a small site without commerce and without user registration, having good backups, might be more efficient in terms of bandwidth if it runs without any extra “security” plugins mucking things up. I’m not a fan of WordPress, in fact I hate it after suffering with it for years, but one has to admit that WordPress is actually pretty solid in terms of security if one is careful about basic attack vectors (examples being bloated junk themes, bad passwords and junk plugins, and keeping core updated).
MTN