howiehwbd

I eventually found that although the posts where counted but not visisble – by clicking on the ‘ID’ column it magically displayed the posts. Then I went into each to ‘re-publish’ and they then became visible.

Hi colis

This afternoon – I tested in conjuction with a Pardot advisor and also worked out that the fieldnames need to be ‘simple text’ no underscores or hyphens.

Once this was done -the form didn’t error.

hi wfalaa

Thanks for getting back to me.

My Live Traffic data limit is 2000.

Could the fact that there are no matching records within Wordfence or Live View for any of the notifications I have received (even if I filter for date and error/block/event type) – are because the attempts and not using an actual page? – but the attempt (and execution) is all done within the URL address bar?

So even if I IP restrict the wp-admin area using htaccess – so that no one can actually ‘land on’ a page … those pages are still ‘actioned’ and Wordfence then fires off a notification. Would that be possible?

regards
H

hi wfalaa

I have looked at Live Traffic and filtered for:

Filter Traffic : Blocked
using advanced filters
Security Event : contains ‘Blocked’
From 1st Oct to 15th October

It shows none of the 700+ hack attempts that occurred a few days ago.

———–

If I the try a new filter
Logins : contains ‘Failed Login: Invalid Username
(same date range)

It also shows NO results
– yet my email inbox shows 700+ attempts.

————

What I’m trying to do is find the matching block/event that my email notification is showing within Wordfence.
i.e. someone at 11.32 on Oct15 was blocked from access the site when they used ‘adm’
– I can’t find this event logged in Wordfence.

—————-
I’m also trying to ascertain when I get a notification – just what actual page is this notification referring to?

—— extract from email sent by wordfence ——-
This email was sent from your website “XXXXXX” by the Wordfence plugin at Saturday 15th of October 2016 at 01:15:35 PM
The Wordfence administrative URL for this site is: https://www.xxxxxx.com/wp-admin/admin.php?page=Wordfence

A user with IP address 178.19.228.31 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username ‘adm to try to sign in.
User IP: 178.19.228.31
User hostname: nat-178-19-228-31.net.encoline.de
User location: Erfurt, Germany
—————————-

I have tested access to /wp-admin and /wp-login.php
– neither are accessible … so how come I’m still getting notifications of attempts still going on?

regards
Howard

Hi wfalaa

Many thanks for your reply. I will investigate the xmlrpc.php file.

and look into whitelisting

regards
H

Hi wfalaa

Thanks for getting back to me.

I have used htaccess to restrict access to wp-admin, wp-login, etc… to just my IP.

I’m therefore assuming that on one but me can therefore access to the WordPress login page.

But I’m still getting WF notifications that ‘adm’ was tried as a username. I have already ‘banned’ the use of ‘adm’ in WF.

Once I had restricted access to the WP login page – I was therefore curious as to why hackers are still able to attempt a login?

———————-

This then has caused me to think?
– When WF send me a notification that a hack was perpetrated – can WF tell me which page was being ‘affected’. i.e. was it /wp-login.php?….
OR was it another login access point (I have one from a guestbook plugin) … there is a username/password form … and this is on /guestlogin/ (url for illustration only).

Can I determine which of the two is having the attempted hack?

regards
H

Hello I’ve just installed a new version in two sites (WP 3.9.3 and a WP 4.1.1)
– in both instances the subscription form completes, but no data is being picked up by the subscriber list.

Please advise?