Users not betting password reset or the reset link fails

Here is a screenshot of an entry in my email log. I use WPO365 as my email sender and wonder if I need to make specific changes to ensure that is fully used, not wp-mail?
https://app.screencast.com/UFXQGnOtzH0E5

Hi @redart599,

Thanks for reaching out. Can you check what email you have set at Wordfence > All Options > General Wordfence Options > Where to email alerts? The email set here determines where alerts, such as for lockouts, are sent. If you update the email, please make sure to Save Changes afterward to ensure future emails go to the correct email address.

The email in your screenshot is in regards to a user being locked out of the website due to failed login attempts or password recovery attempts. When your users attempt to reset the password, are they not receiving the email? If they request it multiple times, it can eventually lead to a lockout based on your brute force settings in Wordfence > Firewall > Manage Brute Force Protection.

I wouldn’t expect emails to be blocked unless there’s a plugin involved that might be getting caught as a false-positive. When looking at your?Live Traffic?feed are there any blocks reported at the time(s) when the password recovery emails are sent out? Try a recent test if it’s difficult to track. You can allowlist actions from here if so by expanding the entry using the “eye” icon or just clicking the table row.

Let me know how it goes!

Thanks,
Margaret

Hi @wfmargaret

Actually, I have just come across another instance where my customer (@redart599 is also a customer of mine) discovered that Wordfence alerts / emails are being sent to an account they never entered. In this the email address is @archtechdesign.net. The first impression is that archtechdesign.net is a legitimate website of a website agency. However, the site does not mention an address or phone number. It also lists reference web projects that appear to be created by other agencies. I therefore suspect that the site is just a cover used for fake emails. In my humble opinion there is some sort of malware / scam that seems to send copies of Wordfence alerts to email accounts that are never entered by the administrator of the affected website.

Hi @wpo365,

Thanks for reaching out. If the emails are being sent by the site itself (rather than being a spoofed email sent to the actual admin), can you check what email you have set at?Wordfence > All Options > General Wordfence Options > Where to email alerts?? The email set here determines where alerts, such as for lockouts, are sent.

If this doesn’t help, please start a new forum topic so that we can better assist you. You can link this thread in the new topic for context. We request this to ensure each case can be handled individually, and topics that haven’t been responded to in over 10 days are no longer actively monitored.

Thanks,
Margaret

Hi @wfmargaret

For @redart599 we already checked this and here the email address in question was definitely not in the configuration. I will check with the other customer as well and start a new thread when I received their feedback.

Thanks!

@wfmargaret The Password recovery emails were being sent to an email address not registered with any of our users. Why is this possible? Why is there not a verification for backup email address for each user?

In this case I suspect our user’s accounts somewhere had been hacked and this person was trying to gain wider access to their information.

Hi @redart599,

You sent a screenshot of a Wordfence alert email going to the suspicious email address, but it didn’t show a password recovery email being sent. Can you check and let me know if you see both Wordfence alerts and general WordPress emails (such as password reset emails) going to the suspicious email?

I’d also like you to test a standard email sent by Wordfence. In Wordfence > Diagnostics > Other Tests, please send a test email to yourself. Then, check the email logs and see where the email was sent. Please let me know what you find!

Thanks,
Margaret

@wfmargaret Yes this nefarious email address ([email protected]) has successfully received password recovery emails. Here’s an example: https://app.screencast.com/kPDwzoa9u8XB3 the user’s email address has been blurred. That email address is a valid user and valued customer. There are numerous cases of this that I can now find, and of interest is the time of the emails to the real user being sent to the hacker email. See this screenshot: https://app.screencast.com/vhS0TuBiGLUdmSo my question remains, why are password recovery emails able to be sent to non verified email addresses?

@wfmargaret Oh and the testing you advised was completed successfully. “I’d also like you to test a standard email sent by Wordfence. In?Wordfence > Diagnostics > Other Tests, please send a test email to yourself. Then, check the email logs and see where the email was sent. Please let me know what you find!”

Email arrived and was not sent anywhere else.

Note that while I have not seen any further signs of activity to the hacker’s email, since the file was removed from my WordPress root directory. However a copy is available

I realised that here is a different in the wording of the email that I missed. The password recovery attempt versus the password reset emails. So this fake user was somehow masquerading as an admin, is that Correct, and nothing malicious couldhave been happening to their account or information because the password reset email was sent to the correct address, is that correct understanding?

Hi @redart599,

Thanks for following up and for the additional information! From the screenshots you’ve sent, your understanding is correct. In each screenshot, they received the Wordfence alert email that explains a user has requested to recover their password. Then, only the user who requested the password recovery received the password reset email. I’d check over your email logs carefully to ensure this is the case for all emails sent to the suspicious address to determine if any additional information was sent.

If nothing in Wordfence was configured at the time to send to the suspicious email address, it’s possible the site was compromised. You mentioned the additional emails stopped when you removed a file. If you have a site file you believe was compromised that Wordfence didn’t detect in its scans, please send a copy of that to samples @ wordfence . com.

It also sounds like you may need to clean the site or at least follow the checklist here: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

Make sure to get all your plugins and themes updated and update WordPress core too. If you are on an older branch (WordPress 4.x etc) because you wanted to wait before installing the latest version because of Gutenberg or a custom theme compatibility you still need the latest update in that version. Those can be found here: https://www.ads-software.com/download/releases/

WordPress sometimes patches their older releases if they find a vulnerability so make sure to update your version if needed. We, of course, recommend that you update to the latest version.

As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP,  WordPress admin users, and database. Make sure to do this.

Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.  

If you are unable to clean this on your own there are paid services that will do it for you.? Wordfence offers one and there are others.? Regardless if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.

Thanks,
Margaret