Support » Plugin: Wordfence Security - Firewall & Malware Scan » WF not immediately blocking IPs signing in as flagged usernames?

  • Resolved a305587

    (@a305587)


    Hello,

    Thanks WordFence team for making an awesome product!

    I’ve used the “Immediately block the IP of users who try to sign in as these usernames” field of your excellent plugin liberally every time I get a notification of an attempt, hoping the next time the bot network tries one of the usual suspect names (guest, admin, indoxploit, schatzi, badmin, tester, AnonymousFox, asd, garak, etc.), it would handle them each time and permanently block the IP – even if it’s a VPN.

    However I’ve noticed lately I’m seeing a lot of repeat offenders, and on the email notifications I see the following (as one example):

    “A user with IP addr 14.186.144.38 has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username ‘guest’ to try to sign in.
    The duration of the lockout is 5 days.
    User IP: 14.186.144.38
    User hostname: static.vnpt.vn
    User location: Ho Chi Minh City, Vietnam”

    I noticed it only says “the duration of the lockout is 5 days”

    I have the password form for REAL users set to lockout for 5 days yes, but I also have “guest” (not an actual user) on my permanent ban list.

    My question is why wouldn’t the IP be banned permanently since I don’t have an actual “guest” user name and it’s on my permanent ban list?

    Is there a way to make the “immediately block the IP of users who try to sign in as these usernames” actually permanently block those IPs, or am I misunderstanding what this field does?

    Thanks!

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfdave

    (@wfdave)

    Hi @a305587,

    Both the Immediately block the IP of users who try to sign in as these usernames and Immediately lock out invalid usernames are not permanent blocks.

    The duration of the block is set by How long is an IP address blocked when it breaks a rule.

    Located here (Wordfence -> All Options -> Rate Limiting): https://i.imgur.com/2PEIQmj.png

    You can choose to set it higher, so these bots cannot try as often.

    Dave

    Many thanks Dave, you guys are great.

    Cheers!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘WF not immediately blocking IPs signing in as flagged usernames?’ is closed to new replies.