Wordfence: user with IP address *** has been locked out

Just posting to point out I am having similar issues. Specifically, I use the Trusona plugin requiring all users to login with Trusona’s 2FA feature. I also have turned off user registration.

So, there is no way that anyone can register on my site, nor can anyone try to login who is not already a user. And there is only one user, myself.

Yet, I get these notifications from Wordfence telling me that users have been locked out from trying to sign in.
I understand it’s possible to authenticate in other ways than using the login form, like via the REST API. But it is also my understanding that the REST API does not, out of the box, allow for account creation.

So, how are these actors able to try and login, to have them banned by Wordfence?

Hi @vinnyboy, thanks for your message.

I have seen rogue users potentially trying to come through XML-RPC, which can be disabled. “Disable XML-RPC authentication” appears in Wordfence > Login Security > Settings. You can also block this route entirely using .htaccess, provided you don’t use the WordPress app or a plugin that requires it such as Jetpack:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Aside from this, I agree that having 2FA enabled for your administrative accounts – as also recommended by WordPress themselves – and complex passwords set for your cPanel/FTP/database/host etc. then Wordfence will look after your WordPress installation using its extensive database of vulnerabilities, IPs and signatures to detect exploitable plugins, known current “bad” IPs, and malicious files. It could also be appropriate to enable reCAPTCHA for registration and login forms. Note that Wordfence’s Login Security features will do this but only function for default WordPress and WooCommerce pages rather than custom forms.

Let me know how you get on!
Peter.

Thanks. Will try that out.

No worries @mastababa. If that doesn’t work for you by all means open up a new topic detailing everything you’ve tried (referencing this topic link if necessary) so we can deal with your case individually. Topics will ideally assist the original poster only, in case there are any differences in each solution to make things easier to follow.

Thanks again,
Peter.

Thank you Peter. I was going crazy trying to figure out how and where the heck these hackers were attempting their logins when I literally disabled the login page.

I looked into this xmlrpc and from what I gather this is an older method for plugins and apps. Apparently this is not so secure and targeted by hackers. Do you know if this correct in that new plugins and apps do not use this so aside from backwards compatibility, this is not needed? (https://kinsta.com/blog/xmlrpc-php/)

It looks like you work for wordfence so may I suggest making the alerts a touch more descriptive. Unless I missed something (which is possible) the warning email that gets sent makes it appear as though the hackers are using the wp-login page form (user with ip address *** has been locked out from signing in or using the password recovery form). I only figured out it was some other page or method by literally disabling the main form/page wp-login.

If I may chime in, XML-RPC is needed by Jetpack.

So then the question that remains is do you leave site vulnerable by using Jetpack and in turn xmlrpc or use an alternative to Jetpack? Not saying one is right or wrong but for me and my site which gets attacked on the daily, I already shut off xmlrpc through the Wordfence plugin.