Wordfence: Immediately lock out invalid usernames + Fail2Ban

  • Resolved ELAN42///

    (@nokao)


    6 years, 4 months ago

    Hi!

    I am in the weird situation where the Wordfence option enabled: Immediately lock out invalid usernames
    was behaving in a bad way, because it seems to not trigger the “fail2ban plugin” that, in my configuration, is banning hackers firewall/iptables server-side.

    1.
    Can you confirm that, if you lock out an user with wordfence (software-side) this will not trigger other plugins like “fail2ban” ?

    Do you think it will ever be possible to connect Wordfence with fail2ban instead of using the “fail2ban plugin” ?
    It’s enough to log in apache log the “bad behaviour” as the “fail2ban” standard explains.

    2.
    for some reason I found an hacker that was bruteforcing me but without triggering the wordfence firewall ban, did this ever happened to some of you ?

Viewing 4 replies - 1 through 4 (of 4 total)

  • Hi @nokao,

    I’m not 100% sure I understand the question here, so please do elaborate if I misunderstood.

    If you have several security plugins with overlapping features, it’s very common for one of them to override the other. Which one overrides which could depend on the load order of the plugins inside the WordPress environment, or it could depend on which WordPress hooks the plugins are using.

    I don’t know if Wordfence brute force protection prevents fail2ban from logging but you could easily test that by making a login attempt yourself which causes a lock out. To avoid yourself getting locked out you can do the testing via a different IP address, such as via your mobile phones internet connection (not using wifi) or using a VPN to connect.

    For your last question, make sure the Firewall is set to “Enabled and protecting”, make sure “Brute Force Protection” is enabled in Wordfence and make sure you have set “Lock out after how many login failures” to something reasonable such as 3 for example. This will protect against login attempts.

    Sometimes the WordPress authorization endpoints are accessed without actual login attempts, meaning they just visit wp-login.php many times without logging in. Such requests are not blocked with Brute Force Protection. If you want to limit those, you should use Wordfence Rate limiting.

    Hope that helps and as I said, if I missed something in your message, please just elaborate a bit on what the issue is. Thanks!

    Thread Starter ELAN42///

    (@nokao)

    I see that this option appeared after this discussion?
    Delay IP and Country blocking until after WordPress and plugins have loaded (only process firewall rules early)

    Am I right ?
    That’s good !

    Hi @nokao!
    We’ve had that ever since the Wordfence Firewall was released. It’s intended for use when debugging primiarily. What it does is move some of the Firewalls blocking to happen at a later stage in the page load processes. When the Firewall is Optimized all blocking otherwise happens before WordPress has loaded. This is for two reasons
    – It’s safer to block before WordPress has loaded (prevents malicious plugins from loading before the Firewall loads)
    – It saves resources since the whole WordPress environment does not have to load for each request that would have been blocked.

    Hi @nokao,
    Since we haven’t heard from you for a while I’m going to go ahead and resolve this thread. You are welcome to create a new one at any time!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Wordfence: Immediately lock out invalid usernames + Fail2Ban’ is closed to new replies.