Support » Plugin: Wordfence Security - Firewall, Malware Scan, and Login Security » Wordfence alerts locked users (brute force)

  • Hello,

    I am using WordPress 4.7 (latest) with Wordfence Plugin (free).
    I’m using a htaccess file securing the wp-admin and the wp-login.php as well with a complex 15 char password.

    Although I get the following Wordfence Alerts from time to time:

    —snip—
    This email was sent from your website “XYZ” by the Wordfence plugin at Friday 23rd of December 2016 at 03:31:46 PM
    The Wordfence administrative URL for this site is: https://www.example.com/wp-admin/admin.php?page=Wordfence

    A user with IP address 91.229.x.x has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 4. The last username they tried to sign in with was: ‘support’
    User IP: 91.229.x.x
    User hostname: 91.229.x.x
    User location: Ukraine
    —snip—

    It seems some folks out there are trying to login with well-known WP user accounts, which seems to be reasonable to me considering that WP is a target for many “hackers”.

    It is awkward on the other side that users bypass the Apache htaccess/htpasswd mechanism – even after changing the password weekly to a really random and complex one.

    So that is what wordfence is trying to tell me, right?
    Are there any other login URLs apart from wp-login.php and /admin (the latter uses wp-login.php as well I assume)?

    Thanks,
    Steve

Viewing 4 replies - 1 through 4 (of 4 total)
  • Hi Steve,
    Yes, xmlrpc.php is also used for login so that is probably where these logins are coming from. You can block access to xmlrpc.php as well. However, some plugins (like Jetpack) use xmlrpc.php to connect to your site so they will stop functioning then. If you don’t use any such plugins, feel free to block away! 🙂

    Hope that helps!

    Where is xmlrpc.php blocked at? Through WordPress. I host a cubs scout with Premium WordFence and we get about 40 login attempts a day that get blocked but I would rather they not even be able to login.

    In my case, I simply delete (rename) xmlrpc.php, problem solved, no thanks to the WordPress developers who created this bot attractor. Oh, and I also install plugin “Disable XML-RPC.” Not sure if that’s redudant or not, but the combination of plugin and deletion seems to work for me. MTN

    • This reply was modified 7 years, 2 months ago by mountainguy2.

    Hi cedaly,
    You can add /xmlrpc.php to the Wordfence option “Immediately block Ips that access these URLs” on the Wordfence Options page.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Wordfence alerts locked users (brute force)’ is closed to new replies.