Username block not working for domain_zone and domain_dot_zone

Hi Mariette,

Do the logins appear with braces like {domain_zone}? Or are there any other unusual characters shown? If so, did you include those in the usernames to block?

If it’s typed exactly the same as the login attempts, and it doesn’t work because of the special characters, we can look at handling those in a future version.

-Matt R

Hi Matt

The logins were exactly as typed (no braces). Could the underscore character be causing the issue?

Mariette

Hi again

Yesterday I added the username login to the list and this hasn’t been blocked either so there must be something else going on.

I’m wondering if it could be because I added these to the beginning of the list rather than scrolling to add to the end? Just in case, I’ll try moving them and keep an eye on it…

all the best
Mariette

same here,
I see attempts to login with {domain_dot_zone}

A user with IP address 46.161.9.8 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username ‘{domain_dot_zone}’ to try to sign in.

the odd thing is that I renamed my wp-admin and still I see these attempts.
can someone explain this?

Hello again Matt

I am still getting a failed login attempt using ‘login’, despite moving to the end of the list, so that wasn’t the issue. Nothing recently for domain_dot_zone or domain_zone but these are intermittent anyway.

Can you suggest anything else?

thanks

@malkah I am seeing the exact same thing! I had renamed my wp-admin but still had an attempt from the same IP address using the same username you listed. I’m not sure how they found the login page or if it is worth changing it again.

@brit77 I had the same problem but disabling XML-RPC.

malkah I’m seeing the exact same thing including the IP address. I have tried blocking the IP address as well and am still getting the WF alerts

Hello Matt

This seems to be a wider problem.

Everyday I am getting these login attempts from login, domain_dot_zone and domain_zone, even though they are blocked.

These login attempts aren’t brute force as such – usually only one of each, and often coming at the same time.

Do you have any thoughts?

thanks

Any of you guys use the CloudFlare plugin? I think it might be someone trying to exploit sites that are unable to update said plugin due to a bug

Hi

I’m not using Cloudfare.

And these login attempts just keep coming. It’s REALLY frustrating.

The list of logins that can’t be blocked has now grown to:
domain_zone
domain_dot_zone
domain
domainzone
domain.zone

Matt R – do you have any idea what’s going on?

thanks
Mariette

Mariette,
could you check your database and look at the wfLogins table to verify that the names they are using to attempt login are exactly the same as the ones you have blocked?

Aha! I’ve just received the Wordfence activity report and it says:

Top 10 Failed Logins
Username
{domain}
{domainzone}
{domain.zone}
{domain_dot_zone}
{domain_zone}
{login}

So you were right – there were hidden characters that I couldn’t see.

I will add these to the blacklist now and monitor it again.

So sorry if I have caused confusion.

best wishes
Mariette

Hello again MarietteJ,
I’m glad you were able to figure it out. Were the curly braces stripped from the usernames on the “Logins and Logouts” live traffic panel? If they were, we should try to fix that so that other people don’t experience the same issue. Thanks in advance.

Hello wfasa

It seems it was the Sucuri plugin, which emails me with failed login attempts, that stripped out the {}s. I just checked in your logins and outs panel and they are visible there.

So sorry again – it never occurred to me that Sucuri’s info would be inaccurate…