Wordfence 5.3.11 dashboard widget shows nonexistent user

Viewing 9 replies - 1 through 9 (of 9 total)

  • You may want to take a look in the users database table for WordPress. I’ve had a user injected into the users table on a site of mine through a hack. If it is in the table and you did not create it, delete it with phpMyAdmin.

    -Brian

    I am seeing the same thing on all of my sites. It’s saying the failed login attempts were from existing users, but no such users exist. And I did indeed verify that they are not in the users table.

    Can either of you (or both) see if the user shows up in the live traffic section? I want to see if this is just related to the widget or if its a bigger issue.

    tim

    I have the same issue and indeed they are not in the user database.

    We’re actively looking into this and may have found the problem. I can tell you that the user is not getting in. Stay tuned and I’ll give you more details as soon as I can.

    tim

    Fix is coming in next release as far as I know.

    tim

    I have reported this too in another thread, and some other related issues. I cannot locate any references in the database either. On some of my sites they are cloned and then redeveloped for another client. As well as seeing “admin” either as an existing user, or non existing user, I have also seen user names I am familiar with, but not for that specific site. Is there any chance that the user names are coming from somewhere else that is tied to the same API key. Without knowing how WordFence works, if it is collecting information based on the API key and storing it off hosting, then this might explain why people have not been able to locate these ghost users? Can the API key be reset if the site is duplicated? Is it a relevant factor? – Just a thought.

    Thread Starter thenightrider

    (@thenightrider)

    @wfsupport (Tim), sorry for the delay. Nope, the ghost user reported in the Dashboard widget is only in the “Logins and Logouts” tab of the live traffic section, and then only once.

    There’s an interesting section of the log (I’ve replaced my real username with “myuser”). All the IP address are the same. The times are all the same. Too bad it doesn’t give the minutes and seconds:

    logged out as “myuser”
    14 days 4 hours ago

    logged in successfully as “myuser”
    14 days 4 hours ago

    attempted a failed login as “myuser”
    14 days 4 hours ago

    attempted a failed login as “ghostuser”
    14 days 4 hours ago

    attempted a failed login as “myuser”
    14 days 4 hours ago

    I’m still running Wordfence 5.8.11. Hope you guys find the problem. Thanks.

    Thread Starter thenightrider

    (@thenightrider)

    @wfbrian, I checked the DB with phpMyAdmin, and thankfully there are no injected users. Thanks!

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Wordfence 5.3.11 dashboard widget shows nonexistent user’ is closed to new replies.