“User locked out from signing in” attack

Resolved Shah Ahmad Yusof
(@shahahmadyusof)

1 year, 5 months ago
Hi, thank you for the great plugin. I’ve used it for many years with good user experience. But, starting this week, I’ve got these emails of “User locked out from signing in” non-stop.

Please check this screenshot.

I have 9 WordPress sites on my VPS and all of them are behind Cloudflare with average traffic of 10k ~ 50k on some of them. But only 2 of them are being attacked. And these 2 websites are new websites without any content, and no traffic but have great domain names as the popular keyword.

I have scanned my websites using various tools with nothing detected. I also know that WordFence has blocked this attack according to my settings (1 month locked after 1 failed password attempt). And, these emails are just to inform me about this situation.

But after a week, this started to annoy me. So my question WordFence team and everyone who read this is, what if I redirect my login page to something else on .htaccess or Cloudflare to something like google.com or 127.0.0.1? Because I’m the only user on all these websites. And I can disable this redirect when I need to log in to my account.

Will this redirect have an unforeseen effect? From my SEO or anything else.

Thank you in advance for your insights.
- This topic was modified 1 year, 5 months ago by Shah Ahmad Yusof. Reason: Adding screenshot

Viewing 3 replies - 1 through 3 (of 3 total)

psychic9
(@psychic9)

1 year, 5 months ago
Hi
same problem here! With a “Please verify that you are human”
Best
S
- This reply was modified 1 year, 5 months ago by psychic9.
Plugin Support wfpeter
(@wfpeter)

1 year, 5 months ago

Hi @shahahmadyusof, thank-you for getting in touch.

1 failed attempt with a 1 month block seems like an extremely strict setting that may catch many legitimate users, should they make a small typing error, in addition to bots/humans with malicious intentions. If you have a high number of non-admin logins on your site, I recommend trying 3-5 for attempts and forgotten passwords, counted over 4 hours, with a 30 minute lockout to prevent these auto-emails or users contacting you too often asking to be unblocked.

We also recommend that online stores, or sites that handle many logins have strict settings such as Wordfence > All Options > Brute Force Protection > Immediately lock out invalid usernames turned off.

If you find this doesn’t stem the flow of emails, I would certainly recommend turning those specific alerts off if they’re becoming frustrating to see. Many admins choose not to activate this alert as, unlike critical scan results that requires action in a timely fashion, there is only limited action you can take. Wordfence is reporting that it’s dealing with the users in the way you want so that you don’t have to.

Thanks,

Peter.
Thread Starter Shah Ahmad Yusof
(@shahahmadyusof)

1 year, 5 months ago
Hi @wfpeter, thank you for your reply.

1 failed attempt with a 1 month block seems like an extremely strict setting that may catch many legitimate users, should they make a small typing error, in addition to bots/humans with malicious intentions. If you have a high number of non-admin logins on your site, I recommend trying 3-5 for attempts and forgotten passwords, counted over 4 hours, with a 30 minute lockout to prevent these auto-emails or users contacting you too often asking to be unblocked.

As I mentioned above, I’m the only user who will log in on all these 9 websites. There are no other users/accounts on these websites besides mine. So I think this is the best setting to secure the websites.

If you find this doesn’t stem the flow of emails, I would certainly recommend turning those specific alerts off if they’re becoming frustrating to see. Many admins choose not to activate this alert as, unlike critical scan results that requires action in a timely fashion, there is only limited action you can take. Wordfence is reporting that it’s dealing with the users in the way you want so that you don’t have to.

I don’t want to turn off this alert previously because I want to receive an alert in case someone tried to breach my website. But since 1-2 weeks before I post this support ticket (Nov 5, 2022) it getting worst like hundreds of emails per day non-stop. Although for many years before this, I only received a few emails a week from Wordfence.

So since Nov 9, I’ve used this code below in my .htaccess as an alternative way to stop them from hitting my sites. This mean, I will remove the code whenever I need to log in to my sites every 30 days and put it back after I’m logged in. So far, no more hits I received in my blocking list on Wordfence.
```
RewriteEngine On
RewriteCond %{REQUEST_URI} wp-login [NC,OR]
RewriteCond %{REQUEST_URI} xmlrpc [NC]
RewriteRule ^/?.*$ - [F,L]
```
So, back to my question in my original post. Will this redirect have an unforeseen effect? From my SEO or anything else?

Best regards,

Shah Ahmad Yusof