Testing WP_FAIL2BAN_BLOCK_USER_ENUMERATION

Using print_r calls before the ‘add_filter’, I confirmed that WP_FAIL2BAN_BLOCK_USER_ENUMERATION is defined and has a value of ‘1’. I also confirmed that the ‘author’ value is properly set in $_GET. However, I do not see any output from print_r calls after ‘add_filter’ and before the test for integer ‘author’ values, as though the hook is either not being set up properly or the filter function is not being called. I am testing the user enumeration feature using
https://<domain>/?author=2

Thanks, Norbert

I’ve re-tested this for 3.0.2 and it’s working as expected. My guess is you’ve got another plugin that’s getting in the way.

I will upgraded to 3.0.2 and re-test.

Thanks, Norbert

I upgraded the WP-fail2ban plugin and disabled all other plugins. When I visited the domain as https://<domain&gt;?author=2, the nodes associated with that user were displayed with the user name showing in the tab. Nothing was logged to /var/log/secure. My wp-config.php contains:

// 20151204 direct WP fail2ban messages to /var/log/secure
define('WP_FAIL2BAN_AUTH_LOG',LOG_AUTHPRIV);
// 20151204 block user enumeration
define('WP_FAIL2BAN_BLOCK_USER_ENUMERATION',true);
// 20161012 block all but xxx*, yyy* or zzz*
define('WP_FAIL2BAN_BLOCKED_USERS','^(?!.*(xxx|yyy|zzz)).*');

Trying to login with an unexpected username does log to /var/log/secure, so that part is working.

Any suggestions on further debugging? I am running WordPress 4.2.9 on my test system and will be upgrading. Should I remove the code from the other plugins from the /plugins directory?

Thanks, Norbert

I can only think that it didn’t work with 4.2.x; I know I tested it (I keep a log), but maybe I missed something or maybe your install has a problem. Either way, this isn’t something that will benefit from further guessing.

Once you’ve upgraded to the latest version (4.5.3 at the time of writing) post back here, either way. I deliberately keep things simple in the plugin to avoid weirdness, but I’m genuinely curious about this one.

Hi Charles, I have finally had a chance to refresh the test site. I am now running WordPress 4.5.3 with wp-fail2ban 3.0.3. Plugins Akismet, Bulk Comments Management, Loimit Login Attempts, Newsletter, Uber Login Logo, WordPress.com Stats and Yoast SEO are installed but deactivated. User enumeration blocking is still not working for me.

I added the following debug statements:

if (defined('WP_FAIL2BAN_BLOCK_USER_ENUMERATION') && true === WP_FAIL2BAN_BLOCK_USER_ENUMERATION) {
print_r("Initialise function: WP_FAIL2BAN_BLOCK_USER_ENUMERATION=");
print_r(WP_FAIL2BAN_BLOCK_USER_ENUMERATION);
                add_filter( 'redirect_canonical',
                                        function($redirect_url, $requested_url)
                                        {
print_r("Entered function: author=");
print_r(@$_GET['author']);
                                                if (intval(@$_GET['author'])) {

If I go to https://<domain>/?author=2, I see “Initialise function: WP_FAIL2BAN_BLOCK_USER_ENUMERATION=1” and the content posted by user 2 but I do not see the next set of print_r statements triggered. I verified that the code blocking specific users is being triggered.

I am running PHP 5.3.3 on CentOS 6.8 with Apache 2.2.15. The WordPress site runs behind CloudFlare – I run mod_cloudflare so that Apache sees the originating rather than the proxy IP address.

Is there anything else I can check to help narrow down what the problem might be?

Thanks, Norbert