nh905

Hi Charles, I have finally had a chance to refresh the test site. I am now running WordPress 4.5.3 with wp-fail2ban 3.0.3. Plugins Akismet, Bulk Comments Management, Loimit Login Attempts, Newsletter, Uber Login Logo, WordPress.com Stats and Yoast SEO are installed but deactivated. User enumeration blocking is still not working for me.

I added the following debug statements:

if (defined('WP_FAIL2BAN_BLOCK_USER_ENUMERATION') && true === WP_FAIL2BAN_BLOCK_USER_ENUMERATION) {
print_r("Initialise function: WP_FAIL2BAN_BLOCK_USER_ENUMERATION=");
print_r(WP_FAIL2BAN_BLOCK_USER_ENUMERATION);
                add_filter( 'redirect_canonical',
                                        function($redirect_url, $requested_url)
                                        {
print_r("Entered function: author=");
print_r(@$_GET['author']);
                                                if (intval(@$_GET['author'])) {

If I go to https://<domain>/?author=2, I see “Initialise function: WP_FAIL2BAN_BLOCK_USER_ENUMERATION=1” and the content posted by user 2 but I do not see the next set of print_r statements triggered. I verified that the code blocking specific users is being triggered.

I am running PHP 5.3.3 on CentOS 6.8 with Apache 2.2.15. The WordPress site runs behind CloudFlare – I run mod_cloudflare so that Apache sees the originating rather than the proxy IP address.

Is there anything else I can check to help narrow down what the problem might be?

Thanks, Norbert

I upgraded the WP-fail2ban plugin and disabled all other plugins. When I visited the domain as https://<domain&gt;?author=2, the nodes associated with that user were displayed with the user name showing in the tab. Nothing was logged to /var/log/secure. My wp-config.php contains:

// 20151204 direct WP fail2ban messages to /var/log/secure
define('WP_FAIL2BAN_AUTH_LOG',LOG_AUTHPRIV);
// 20151204 block user enumeration
define('WP_FAIL2BAN_BLOCK_USER_ENUMERATION',true);
// 20161012 block all but xxx*, yyy* or zzz*
define('WP_FAIL2BAN_BLOCKED_USERS','^(?!.*(xxx|yyy|zzz)).*');

Trying to login with an unexpected username does log to /var/log/secure, so that part is working.

Any suggestions on further debugging? I am running WordPress 4.2.9 on my test system and will be upgrading. Should I remove the code from the other plugins from the /plugins directory?

Thanks, Norbert

I will upgraded to 3.0.2 and re-test.

Thanks, Norbert

Using print_r calls before the ‘add_filter’, I confirmed that WP_FAIL2BAN_BLOCK_USER_ENUMERATION is defined and has a value of ‘1’. I also confirmed that the ‘author’ value is properly set in $_GET. However, I do not see any output from print_r calls after ‘add_filter’ and before the test for integer ‘author’ values, as though the hook is either not being set up properly or the filter function is not being called. I am testing the user enumeration feature using
https://<domain>/?author=2

Thanks, Norbert