Is “Immediately block the IP of users who try to sign in …” Case Sensitive?

^^ I wonder why Wordfence has this case-sensitive issue?

https://www.ads-software.com/support/topic/bug-banned-urls-are-case-sensitive/

That will be why I’m seeing strange capitalisation patterns in the username being submitted by the brute force attack. And I suspect that it is the other security plug-in that is blocking the access.

No way am I going to bother to configure in all case combinations for the 14 character usernames they are currently “exploring”.

Is there any schedule when this is likely to be fixed?

• This reply was modified 6 years, 4 months ago by psamathe.

Hi @psamathe,

The feature lockout usernames is indeed case-insensitive.

Taking a look at wordfence/lib/wordfenceClass.php:2636-2639 it says:

if($blacklist = wfConfig::get('loginSec_userBlacklist')){
    $users = explode("\n", wfUtils::cleanupOneEntryPerLine($blacklist));
    foreach($users as $user){
        if(strtolower($username) == strtolower($user)){

Note the strtolower($username) == strtolower($user).

If you are adding admin to the blacklist, but you are still able to attempt Admin please let me know.

Dave

Reason for my suspicion is I’ve seen loads of login attempts with bad passwords on configured “immediate lockout usernames” but with strange capitalisation that are not locked-out. I’ve configured the usernames in as all lower case but hack attempts are using some capitalisation.

As I say it’s not a panic as I have another security plug-in that is blocking them out.

But I don’t have time at the moment to carry out tests, etc. I’ll experiment more once I get a bit more time.

• This reply was modified 6 years, 4 months ago by psamathe.

Ah, it is possible that another plugin is conflicting with Wordfence’s ability to block out usernames.

Can you see if Wordfence blocks the username “AdMiN” when your other security plugin is disabled?

I’ve done some tests on my own installation of Wordfence is it seems to be working fine. Can you let me know if there’s anything different about the login page in your WordPress site?

I will try but I’m afraid it might not be for a bit of time. I’m now in the middle of moving the site between hosting providers so even the hackers are not getting anywhere at the moment.

It’s the standard login page, latest public release of WordPress.

I am happy to identify the other plug-in if it is useful but didn’t want to start implying plug-in <xxx> is ….. I only mentioned it to lower the priority as the login attempts are being blocked so I feel “unthreatened”.

I suspect the hack attempts will drop to more routine levels in a week once US politics ends campaign-time (I assumed they were related to that as they started at the same time as the campaigning). I actually went overkill whilst moving sites and completely blocked all countries the login attempts were coming from (in case DNS propagation delays give them access before I get access!).

If I’m the only person raising it and my config is complicated by a 2nd security/blocking plug-in then I’ll mark it as resolved and post additional info when it’s available.

Thanks for your response.

No worries! Come back anytime and we’ll be happy to help you out. I’ll continue to do additional testing on my end to see if I’m able to reproduce this issue.

Dave

Wordfence, any progress on fixing “Immediately block IPs that access these URLs” to make that feature case insensitive?

MTN