Automatic blocking of usersnames

  • I have my options setup so that if a particular username is entered it should automatically block their ip, however under live traffic logins I see that the button still says “block ip”. I’m not sure if this is a bug/glitch or oversight, but shouldn’t that button already be set to ‘unblock ip’ since it should already be blocked?

    Edit:

    I checked under blocking and I noticed that the IP for which the username on my list was used was NOT automatically blocked. Why is that?

    Example, the person used the username ‘test’ https://share.getcloudapp.com/ApuD2E4l
    which is on my list: https://share.getcloudapp.com/GGuzw4Y4 but their IP does not show as being ‘blocked’ when I search for it…

    • This topic was modified 2 years, 4 months ago by qwik3r.
Viewing 9 replies - 1 through 9 (of 9 total)
  • Thread Starter qwik3r

    (@qwik3r)

    Any update on this?

    Plugin Support wfpeter

    (@wfpeter)

    Hi @qwik3r, thanks for getting in touch. We check the forums during office hours Monday to Friday, so I’ve just picked this up.

    When attempting to log in as “test” from the immediately block list, were you using an IP that has been added to the Wordfence allowlist? I ask as I’m successfully getting blocks for users on this list on my site, and the Wordfence allowlisted IPs can bypass all Wordfence features such as this.

    If your IP isn’t bypassing all rules, do you have the Brute Force Protection AND Rate Limiting toggles both set to “ON”?

    It’s important to also note that if “test” appears as a valid registered username in your WordPress users list, it will be ignored rather than blocked.

    Let me know if none of that seems to point to the reason for a block not being activated in this case.

    Thanks,

    Peter.

    Thread Starter qwik3r

    (@qwik3r)

    Peter,

    I more or less want to know if usernames that are on the block list attempt to login (ones that don’t exist) if their IP is blocked automatically, because that is not the behavior I’m seeing. When I look in the log list, I see attempts for admin, test, admin1 etc… all non existent usernames and it doesn’t say they are BLOCKED. The ‘block ip’ button doesn’t say “unblock ip” so…. my assumption is they are NOT being blocked automatically. I also do not see that they are in the block list.

    I have no way of really knowing if they are blocked, which is what I’m trying to ascertain.

    To answer your questions, I have no whitelisted IP addresses, the usernames do not exist and both of the options you mentioned are set to ON.

    Please advise.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @qwik3r, thanks for the extra information.

    The usernames in this case should be blocked for the time specified in Wordfence > All Options > Rate Limiting > How long is an IP address blocked when it breaks a rule. Anything blocked from Live Traffic manually is also subject to this rather than being permanent by default. You can certainly choose to increase this time from minutes to hours or days if you would prefer, but note that the block is effectively temporary to deal with the issue while somebody (or a bot) is repeatedly trying. This is why the button shows “block IP” instead of “unblock…” as the temporary block may have already been lifted.

    While they appear on the Wordfence > Blocking page, you can choose to make the blocks permanent, but we generally find that a manual blocking strategy is ineffective and Wordfence can do all of the important blocking for you when it’s required.

    Thanks again,

    Peter.

    Thread Starter qwik3r

    (@qwik3r)

    So just to clarify, it will not show as ‘permanent’, i.e in the block list because it’s a ‘temporary’ rule that falls under rate limiting, is that correct?

    I take a bit of an issue with this simply because the rate limiting options apply to both bots/hackers and normal people.

    I can’t set my rate limiting to the furthest — which is 2 months — because if it’s a legit person that could create havoc where people can’t log into their accounts and I have to do more manual labor to find out why.

    Speaking of which… there doesn’t appear to be a way to unblock someone who is rate limited (correct me if I’m wrong). What if it’s a legit person trying to login several times and trying 10 different passwords in 5 minutes (what I currently have set) and they fail 10 times? If I set the lockout to 2 months, how do I unblock them since they don’t seem to get added to the list.

    There should be separate options for those usernames specifically, or at least an option to generate separate options. If you know for a fact that bots/hackers are going to try specific usernames that do not exist then you should be able to instantly ban their IP, not rate limit.

    I find the way it is setup to be a bit wonky.

    Thread Starter qwik3r

    (@qwik3r)

    I’m still seeing invalid username login attempts (obviously bots or hackers) such as ‘admin’ etc. When I see these, should I hit “block IP” to permanently block them, since you’re stating that the ‘invalid username’ rules only follow the ‘rate limiting’ rules?

    Again, the problem with the invalid username rules falling under ‘rate limiting’ is that there is no way to perm block someone without manually doing it. Also, not all bots (or people) seem to be attempting to login fast. They might try twice in an hour for example. If I set the rate limiting to something further out, for example “2 times in 4 hours” then it could rate limit legit people too.

    • This reply was modified 2 years, 4 months ago by qwik3r.
    Thread Starter qwik3r

    (@qwik3r)

    Update on this?

    Thread Starter qwik3r

    (@qwik3r)

    2 Weeks no response. Fantastic support.

    Thread Starter qwik3r

    (@qwik3r)

    Following up on this.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Automatic blocking of usersnames’ is closed to new replies.