Block the IP of users who try to sign in as (Case Sensitive)

  • Resolved Bybe

    (@bybe)


    2 years, 5 months ago

    When adding lockout usernames such as “admin” it is not obvious if this is case sensitive. For example, if I add “admin” will this block “Admin“? I’ve checked your documentation and mentions nothing about it here.

    Also, feature suggestion, would be nice to include wildcard on such usernames, such as “admin*” would block “administrator” “admin1” etc.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @bybe,

    Currently, the “Prevent users registering ‘admin’ username if it doesn’t exist” is case-sensitive so techncially “Admin”, “Admin123”, etc. could be signed into unless specifically mentioned in the “Immediately block the IP of users who try to sign in as these usernames” box. However, adding usernames to this section is especially useful if you’re finding a high amount of cases where a bot or human is attempting to sign in repeatedly with the same username, just to help stem the flow of a specific problem for a specific site.

    Wordfence, and WordPress’ for that matter, main recommendation would be to enable 2FA (at least for administrators) and reCAPTCHA for all users for maximum protection. Our Brute Force and Rate Limiting options along with the inbuilt firewall rules & lists of known ‘bad’ IPs/hostnames should protect your site well without having to take too much custom action.

    I will however mention your suggestions to the team as all customer development requests do get considered, especially if they’d assist the wider user-base also.

    Thanks,

    Peter.

    Thread Starter Bybe

    (@bybe)

    Hi,

    Thank you for the prompt response.

    The issue with 2FA it doesn’t stop attempt login attempts. The brute force feature is a must and works very well, but with thousands of IP addresses attempting daily, it does cause a lot of server-side requests.

    Rate limiting is also a useful feature, but that’s on the assumption one particular IP address is attacking, and even with throttles, an attack of thousands of bots still adds up thousand of server-side requests.

    Please do forward my suggestions. These particular bots often follow word lists and use the most common logins, such as Admin, administrator, Administrator, adminwp, Adminwp, admin1, Admin1, etc, and having to fill them in twice because they are case sensitive is time consuming, causes clutter etc. A simple admin* should be a feature to block all of those attempts, and ban that BOT before it even gets throttled, or brute force blocked.

    Even with brute force attacks, using low numbers, and setting a low ban of 5 attempts with lockout, 1,000 ip addresses is 5,000 attacks.

    I know you also have the feature where you can simply ban users that do not exist, problem with this it can be cumbersome for real users, and the idea of unblocking through the URL feature is something I don’t personally like.

    Again, thanks for getting back to me, and hope the feedback team does consider allowing * wildcards, and option of applying ignore case sensitive on usernames when adding bad usernames.

    Kind regards.

    • This reply was modified 2 years, 5 months ago by Bybe.
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Block the IP of users who try to sign in as (Case Sensitive)’ is closed to new replies.