Add mistype leeway for “Immediately lock out invalid usernames” function

  • Resolved nathanm4444

    (@nathanm4444)


    10 months, 3 weeks ago

    Feature Request

    The “Immediately lock out invalid usernames” feature is a very useful feature that protects against bots that are trying non-existing usernames. Although the username “admin” is tried most often by bots and this is easily blocked, it is also useful to restrict access for other false usernames that are tried by bots. It is safer to immediately block IP-addresses that try non-existing usernames to gain access, and this also saves server capacity

    https://pasteboard.co/I6PhFSK7f9hW.png <– Firewall page

    WordFence allows website administrators to filter any website visitor that uses different usernames than the ones already existing, logically assuming that the actual users, editors and administrators of that WordPress website know their own usernames and will not try a bunch of different usernames to gain access. But WordFence also assumes users will type in their usernames correctly every time.

    With the website that I am managing, it is not easy to ‘guess’ the different usernames. Certainly with 2FA added, logging in is very secure. But whenever one of my users or editors (from different locations/IP-addresses) mistypes their username, they are blocked out and have to use the link that is sent to their email address.

    Now, I do not want to add the IP-address of every single user to the IP white-list, because this is a lot of work and there are different locations. And I also do not want to turn this feature off, because it saves valuable server capacity and my website responds faster to actual visitors.

    So what I am suggesting, is a mistyping algorithm that predicts how the existing usernames could get mistyped, and then allows for a second chance when a mistype occurs.

    For example, the username johnsmith is not blocked, and the algorithm predicts that users might mistype this username in the following ways:

    • johnamith
    • jojnsmith
    • johnsmir
    • johnsmiht

    Then the words ‘johnamith’, ‘jojnsmith’, ‘johnsmir’ and ‘johnsmiht’ are added to the whitelist. Whenever an IP address types in this username combined with a password that exists in the login database, they are not immediately restricted and blocked. The page will return the login menu and the user will be given a second chance to login.

    In conclusion, this is what feature is missing:

    • This topic was modified 10 months, 3 weeks ago by nathanm4444.

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter nathanm4444

    (@nathanm4444)

    Link to photoshop image:

    https://pasteboard.co/kRMs1I7AxcBD.png

    • This reply was modified 10 months, 3 weeks ago by nathanm4444.
    Plugin Support wfpeter

    (@wfpeter)

    Hi @nathanm4444, thanks for your suggestion.

    We do often recommend sites with a large quantity of users, such as WooCommerce stores turn this feature off to avoid accidental blocks that may result in additional work for the site administrator. Allowlisting any IP in Wordfence would allow it to bypass all protection entirely, so with the possibility of IP(s) being reassigned to a bad actor in the future, it would not be an ideal solution as you pointed out.

    As you’ve provided quite a bit of detail into how this feature might work, I’ve sent the permalink to this topic along with a feature request for our QA and development team to reference at any time. There might be some challenges defining “how wrong is too wrong?”, or “how close is close enough?” but those are just my initial observations.

    We’re not able to follow-up on requests or promise their inclusion in a future plugin version here on the forums, but everything put forward by our customers is considered for feasibility and discussed internally.

    Many thanks,
    Peter.

    Thread Starter nathanm4444

    (@nathanm4444)

    Thank you Peter, that is much appreciated!

    About the challenge regarding “how wrong is too wrong?”, or “how close is close enough?,” you are right that such questions are not easily answered.

    Another option is to use a scale that the website administrator can set from “least likely typing mistakes” to “most likely typing mistakes” but this would require a model with knowledge about which typing mistakes were more likely to happen than others.

    But I believe that in most cases, site administrators would be happy to have at least some leeway there. Even if the algorithm would not work perfectly and generated username mistypes that rarely occurred in real life, this would still be a security improvement over completely disabling the feature.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Add mistype leeway for “Immediately lock out invalid usernames” function’ is closed to new replies.