Logging passwords of failed login attempts

  • Resolved ostinatofreak

    (@ostinatofreak)


    6 years, 7 months ago

    I recently installed a highly-rated plugin called Login Attempts Log because I want to see what passwords hackers are using as they try to log into my site. I feel that this feature should be one of the basic (i.e. free) features of Wordfence. Every time hackers try to log in, they are providing <i>free information</i> that people could use to learn a lot about how much various hackers know about them: are they using random passwords, or a list of “known” passwords? Basic, free Wordfence functionality provides information on IP addresses, failed usernames, etc… but no list of attempted passwords? This doesn’t seem right.

    But OK, so as I said above, I installed another plugin. Problem solved, right? No. Unfortunately, Wordfence prevents this plugin from working. So not only does Wordfence not provide users with this information (or maybe Wordfence charges extra for it? Not sure…), Wordfence also won’t allow other plugins to provide the information either! I am sure this is unintentional, but that doesn’t change the simple reality that Wordfence prevents WordPress administrators from being able to learn more about what hackers know about them (or it prevents them from being able to do so for free).

    I am asking that Wordfence developers please consider the request of providing the user with a list of passwords used in failed login attempts.

    In case you’re thinking of saying, “But this is a security issue: we don’t want to show the administrator legitimate users’ failed passwords,” this is easy to work around. Simply do not record the failed attempts in the log if the same IP address successfully logs in within 5 minutes of the failed attempts.

Viewing 2 replies - 1 through 2 (of 2 total)

  • Hi,

    If you mean “WP Login Attempt Log” plugin, then it wasn’t updated for a while and it seems to be not working on a recent WordPress as reported by other users here, so I don’t think Wordfence is conflicting with this plugin somehow.

    I appreciate your suggestion and will pass it on to the team, however I wanted to let you know that your concern is valid regarding revealing passwords with a simple typo for admin, what if the user decided to give up and didn’t continue logging into your website within 5 minutes? it will end up with having the user password in plain text which is something we can’t help with for sure.

    Thanks.

    Thread Starter ostinatofreak

    (@ostinatofreak)

    What if you only log a user’s attempted password if 1) that particular username does not exist in the system, or 2) the login attempt originates from some country other than the user’s specified country? Additionally, users can enable or disable this logging feature, and you could have it default to “off.”

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Logging passwords of failed login attempts’ is closed to new replies.