We’ve enabled Wordfence and although the brute force attack protection options are enabled and set correctly, they are not effective at all. And no “blocked logins” are displayed in dashboard or logs. The “hide invalid login” and such features don’t work neither. None of them actually.

So, I am guessing that somehow Wordfence is not actually breaking into the /wp-login.php login to intercept the requests correctly. Is there some additional configuration that needs to be done to make it work?

If not, what else could I check to diagnose what it is going on here? Why logins via /wp-login.php are not being correctly intercepted by Wordfence?

I had 25,000 attacks in last 48 hours. I changed my login page from wp-admin to another url weeks before that but it didn’t help. Also I set password for wp-admin folder too from my host, but all of these actions didn’t help.

What should I do to solve this problem? How can they find my folder password? How they solve my reCAPTCHA which I used to protect my login form?

Please help me to solve this problem.

Best Regards

Ali Nedaei

I am using the plugin on one of my e-commerce websites. I have used the IP Address + Cookie Based Login option which gave me a unique id. I have also redirected my Admin page to CIA.GOV just to scare the Hackers.

But, this is a WooCommerce Website and it is blocking my customers also as they are not able to log in. They are being redirected to CIA.GOV

Is there a way to resolve this or is there an option where I can keep my group of Customers away from getting blocked?

Our client has been victim of some brute force attacks on the wordpress login and as a security measure we have restricted access to wp-login page.

So now when you access wp-login page from a different IP it is forbidden.

All seems good however we are still receiving information that we are still under brute force attack:

“A lockdown event has occurred due to too many failed login attempts or invalid username”

Since you cannot access the wp-login page, my question is: Is there another way to access the admin area that I do not know about. How are they still able to attack?

Any advice/ideas would be greatly appreciated.

Thank you,

I need help regarding the Authorizer plugin. The plugin works well in all aspects, but I am facing some issues.
My website is facing a Bruteforce attack(ie, random user logins are carrying out with non-existing user names(I checked them against our ldap) and some usernames already existing, but they were blocked by your auth_settings_advanced_lockouts_failed_attempts meta value.).

Whenever a failed attempt occurs, auth_settings_advanced_lockouts_failed_attempts in wp-options table increments and all users who try to log in to the website is blocked saying “There have been too many invalid login attempts for the username” even if the user tries with the correct credentials. The user who carries out a fresh login with correct credentials is blocked by this. How can I resolve this?

Any help would be appreciated. Thanks in advance.

I have stored brute force protection in the / wp-admin / folder for my site at the provider. Secure username + long, secure password. The upstream login window actually pops up in different browsers for me.

The Wordfence plug-in (free version), which I appreciate, gives daily alerts that users from all over the world are trying to log into wp-login.php.

What could be the reason?
Thank you for your help

A user with IP address 212.199.163.60 has been locked out from signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 20. The last username they tried to sign in with was: ?admin‘.
The duration of the lockout is 4 hours.
User IP: 212.199.163.60
User hostname: 212.199.163.60.static.012.net.il
User location: Jerusalem, Israel