Wordfence 5.1.1 – Blocked IP's not logged in Logins & Logouts

Very strange, we fixed this bug in either 5.1.1. or the version before that. I wonder if the fix isn’t causing this. Anything in your web server error log?

Regards,

Mark.

Here is 2 examples – got an email alert that this IP attempted a login using admin.
From Website logs:
184.173.116.98-static.reverse.softlayer.com – – [11/Jun/2014:11:33:40 -0400] “POST /wp-login.php HTTP/1.0” 200 1763 “https://www.google.com/” “Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.14”

Email Alert:
The last username they tried to sign in with was: ‘admin’
User IP: 184.173.116.98
User hostname: 184.173.116.98-static.reverse.softlayer.com
——-
On another WP website:
contour.websitewelcome.com – – [11/Jun/2014:11:33:38 -0400] “POST /wp-login.php HTTP/1.0” 200 1763 “https://www.google.com/” “Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.14”

Email Alert:
The last username they tried to sign in with was: ‘admin’
User IP: 192.185.12.182
User hostname: contour.websitewelcome.com

Is it possible that they’re only locked out for a short time?

What is this set to:

Amount of time a user is locked out

on our Wordfence options page?

Regards,

Mark.

Yes, I set options to lock them out for 10 Minutes, but, I would normally then click on the IP address inside the Login & Logout’s tab and block them for 30 days (max in options). But, the concern I have there is No record of the Login Attempt in Wordfence. I do see successful logins. Just not login failures. Prior releases I saw login fails and success in the Login & Logout’s tab.

Here is another example from Weblogs:
24.114.29.162 – – [11/Jun/2014:20:59:49 -0400] “POST /wp-login.php HTTP/1.0” 200 1469 “-” “Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36”

Is the issue a false negative?

Is the issue a false positive? sorry

It’s tough for me to correlate your weblogs with what you should be seeing in Wordfence. If you have lockout set to say 3 attempts, and you see 3 attempts from an IP and then immediatelly check locked out IP’s you should see the currently locked out IP listed there.

Under the “logins and logouts” tab in live traffic you should see the attempts listed there. If not, then let me know.

Regards,

Mark.

I do NOT see failed login attempts in the Logins & Logouts Tab.
I have 5 WP websites, all on 3.9.1, WF 5.1.1. I get the same experience with each website regarding a failed login.

Hi,

I want to make sure Wordfence is writing to the database. Are you able to see live traffic?

Please check your mysql tables for table corruption. Ask your hosting provider to help you with this if you don’t know how to do it.

Regards,

Mark.

The DB tables do not appear to be corrupted.

I also don’t think that the failed logins are captured in the DB.
I attempted a login using one of my non-admin user id and failed the login process. I did not see that Failed User ID login in the DB tables.

Not sure if that helps or not.

The Database reflects ONLY Successful Logins NOT failed Logins.

Tested it by failing and also by successful login

Looking at wp_wfLogins

What I did on one Website is move version WF 5.1.2 out of the way, and placed WF 5.0.9 in and activated it.

I attempted a Failed Login and it showed up in the logs. ‘wp_wfLogins`

I was able to duplicate the results above on another website by deactivating and moving WF 5.1.2 out of the way. Then moved WF 5.0.9 in and activated it. Failed Login attempts are now being reported in the “Logins & Logout” tab as would be expected.

I think that something broke between WF 5.0.9 and 5.1.1. Release 5.1.2 had the same result as 5.1.1.