Announcement

Collapse
No announcement yet.

Any WordFence gurus here?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Any WordFence gurus here?

    Hi everyone,

    I've been installing the free version of WordFence on all my customer's sites. I leave most settings set to the defaults. A customer just sent me their weekly update for her site. Someone guessed her username and tried to log in 740 times (!). The default settings lock you out after 20 failures over 5 minutes, and you're locked out for 5 minutes.

    I accessed the log file and it appears they tried to log in over 30 times a minute, repeatedly, for at least 10 minutes that I can see. Why didn't WordFence block them after 20 tries, and then keep them out for the next 5 minutes?

    Their IP address was also not listed in her weekly summary and given the amount of failed attempts, I thought it would have been at the top. When I log into her site and view the log file of blocked IP addresses, that seems to only be recent blocks, as none were listed at first, but when I visited the screen 5 minutes later, a few appeared.

    She's concerned the software isn't functioning properly, and we can't post on their Help forum because she's not a Premium member, so if anyone here has any tips, we would be grateful.

    Here's a snippet of the log file -

    mietzikat 37.187.163.68 6 hours ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 1 min ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 2 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago
    mietzikat 37.187.163.68 6 hours 3 mins ago

  • #2
    Did you check the settings? And make sure that they are set to lock and block users after so many attempts?
    That number could be set anywhere from 5-20 times.

    There are quite a number of settings. And can be daunting for most users.

    If this is a big concern of your client could use a simpler plugin like Limit Login Attempts. Or better yet switch to a host does all the security before it ever reaches your site.

    Comment


    • #3
      Hi Sogwap,

      I did double check the settings, which are set to the default - lock out after 20 login attempts and lock them out for 5 minutes. Which is why it's strange that it seems to have allowed that IP address over 30 tries every single minute, but I think I'll make them a bit tigher. I much prefer WordFence over Limit Login Attempts as it does so much more.

      Comment


      • #4
        I had a few sites that got this sort of nonsense attack - I added a plugin to change the /wp-admin login url, and it just stopped - worked well...
        And have since used it on 2 or 3 other sites with the same issue.
        https://wordpress.org/plugins/wps-hide-login/
        HTH

        Comment


        • #5
          Thanks, Dave... I'll check it out.

          Comment


          • #6
            You might want to look into this, too: https://www.wpwhitesecurity.com/word...ress-security/

            Like you, I do use Wordfence plus the above plus additional hardening via htaccess (and disabling the file editor via wp-config.php). I hated to see those bots finding real usernames in no time (which is actually easy with default WP). and the trick outlined above works fine. Feels much better if you see them failing at guessing the username already before they can even try a password.
            You might want to add that to your "easy to do without a plugin" box of security layers.

            +1 for the plugin Dave recommended, btw. Slick and works.

            Comment


            • #7
              Thought I would add a couple of things I found along the way and which I have been doing

              - never add content (page, post, product, etc.) as a user with the Administrator role; create a new user with the Author role to do so; if they guess that username, then it's not as crucial as guessing and admin one
              - I was told about the above when I mentioned the following at our local WP Meetup; if you hover over the Author name in the meta of a blog post, the URL will reveal the username even if the meta has been set to display the "real" name.
              - so what I do in addition to the above is using phpMyAdmin, I change the 'nicename' field to something way off base as by default, it is the actual username; this is NOT to be confused with the NICK name that can be provided in the User profile. And then when you check the failed login attempts logs, you will see that the little buggers are using your "way off base" nicename to try to login

              Cheers!
              Lyle

              Comment

              Working...
              X