To see if Wordfence can send emails at all, you can scroll to the bottom of your Wordfence Options page, look for the option:
“Send a test email from this WordPress server to an email address”
Just enter your email address, and click the “Send Test Email” button.
If the message doesn’t come through (and isn’t in your spam folder), you might need to check with your host to see if they are are blocking these messages, or if they are stuck in the queue. Some hosts will delay outgoing messages if too many are sent too quickly. If the test message gets through, but the others do not, reply here.
(For your other question about how they figure out your username — there can be a number of ways. Often, it is from using a theme that shows a link to your author page, or even lists your username as a class of the <body> tag of each post you create.)
Thread Starter
silky
(@sdwright)
The test email came through with no problem. So that wasn’t the issue.
As for my username, I have an ‘under maintenance’ plugin in use. Plus, I’ve tried various recommendations to protect my username, such as posting under a different username and not the admin name. It’s just all so creepy.
Thread Starter
silky
(@sdwright)
Just a note…the only plugin I’m using on the site is Wordfence, and the hacker has really been trying to get at the plugin folder. I suspect they are looking for some vulnerability in the plugin.
There’s no hacker it is only an automated bot that tries to login and identify your username.
From what you’ve said above I think the bot figured out your username from the domain you use, most people’s usernames are same as their domain names for example: silky.com site would have a username “silky”.
You said WF doesn’t send any notif emails so in this case try using an SMTP (email) plugin and see if that works.
B13story is probably correct that it is a “bot” and not a live person trying to get in. For the email alerts about the brute force attempts, did you even get one email? Or none at all?
Wordfence can be set to prevent excessive email alerts from being sent, so that could have stopped a lot of them from coming through. Since the Wordfence test email was delivered successfully, this one is unusual.
Also, do you still get messages from Wordfence on your site when plugins need to be updated — and only the brute-force alerts are missing?
Thread Starter
silky
(@sdwright)
I got a message from this one domain that Wordfence needed to be updated even though I had it set to update automatically. I got nothing regarding the attempts to login, and there were many.
Why on earth would a bot be trying to log in? Isn’t that a bad thing?
Ok. I haven’t seen only the brute force emails missing, while the others are all working. I will ask around, to see if anyone else has come across this.
The bots attempting to log in are definitely bad, but generally, it at least means that it’s not someone who is after you personally! Usually whoever is running the bot is trying to find new places to host bad things for free (malware, banking scams, etc.) or sending spam emails, but Wordfence is good at blocking them from getting in.
I will post back here when I find out if anyone has had similar missing emails.
I missed asking in my first post — just to rule it out, can you check your Wordfence Options page under the Alerts section, to be sure that “Alert when an IP address is blocked” and “Alert when someone is locked out from login” are turned on?
Thread Starter
silky
(@sdwright)
Yes, those items have been marked from the beginning. I also had the feature block attempts to get usernames using that author url. Still, they got the username and tried to sign in (hard to believe that could be a bot). I don’t use admin, and my username is obscure. Attempts were also made using ‘administrator’ by an ip in Australia. (I’m referring to the domain where no email was sent)
I had another domain that I forgot to install Wordfence on until yesterday. I couldn’t even sign on. So I had to go to my host to change the password. Today, Wordfence emailed me that someone had tried to sign in using Admin and requested an email to change the password. Wordfence blocked that, and I have since put a permanent block on the ip. So that’s good. Thing is, I did a site check through Google and discovered that over a 100 pages had been added for viagra and other stuff. (but that probably happened before I installed Wordfence) I don’t think I’m dealing with a bot, because I’ve been plaqued with attacks by the same ip out of Ukraine, which I have blocked on all my sites using Wordfence. But goodness, this person(s) is persistent and it’s exhausting trying to stay ahead. I did run another scan, but Wordfence didn’t note any changes to the pages, and it said all was fine. But would that be true in the case of url injection?
By the way, I really appreciate your quick responses.
I can’t seem to find anything else that might be causing the missing brute-force email notices. Is the only place you see the login attempts on Wordfence’s “Live Traffic” page?
You also mentioned an “under maintenance” plugin — it might be doing something unusual that conflicts with Wordfence. Another possibility would be the theme — some themes include functions that don’t work well with other plugins. If you can safely switch themes and/or try a different maintenance plugin for a while, you may see the emails start to come through again.
For the other site that was hacked before Wordfence was installed, you might want to review this guide on cleaning a hacked WordPress site:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
I don’t see “Send Test Email” button anywhere? I have Postman SMTP installed.
