What endpoints does Immediately lock out invalid usernames cover?

  • Resolved Thomas Jarvis

    (@thomasjarvisdesign)


    1 year ago

    Under brute force protection:

    What endpoints does “Immediately lock out invalid usernames cover?”

    Is this purely wp-admin or does it include the woocommerce accounts screen?

    Reason for asking – I want to block invalid user names for wp-admin only. Not Woocommerce accounts login.

    Is this possible?

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @thomasjarvisdesign, thanks for reaching out.

    At present, we recommend “Immediately Lock Out Invalid Usernames” is not checked for WooCommerce stores or any other site with a commonly used public-facing ability to log in, as unwanted lockouts are extremely common from simply mistyping a valid username.

    I can certainly note your use-case to have the /wp-admin page separated from other attempts to use the WordPress login flow, which I haven’t seen a prior suggestion for personally, but can see why it would be useful to discuss with the team.

    Thanks,
    Peter.

    Thread Starter Thomas Jarvis

    (@thomasjarvisdesign)

    Hi @wfpeter,

    Thank you for this.

    This would help further prevent brute force attacks as with all of my WordFence sites you can see people trying generic account names repeatedlty.

    Can I raise a feature request/bug fix for this? I think it would be an extremely beneficial feature.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @thomasjarvisdesign,

    We discuss all requests from customers internally for potential inclusion in future updates, so I’ve made the development request for you. Unfortunately we can’t provide ongoing updates here on the forum on its status/potential release dates, but everything put forward will be considered.

    Many thanks,
    Peter.

    Thread Starter Thomas Jarvis

    (@thomasjarvisdesign)

    @wfpeter

    Thanks for the update. I’ll mark this issue as resolved for now.

    This feature would be extremely beneficial to a lot of users and prevent brute force attempts before they start.

    A majority of attemps at wp-admin are guessing usernames so by only applying this to admin logins it would prevent wasted php resources and attacks.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘What endpoints does Immediately lock out invalid usernames cover?’ is closed to new replies.