“Alert when someone is locked out” – disable alerts on incorrect username?

  • Resolved ellmann creative

    (@ellmanncreative)


    1 year, 10 months ago

    I have my website configured to block IPs immediately when a nonexistent username is used. Password managers are a thing so mistyping is not an excuse, and as far as information disclosure – I find blocks a more effective deterrent (and, more importantly, excellent tarpitting).

    However, I get many e-mails about IPs blocked for using incorrect (usually completely bogus) usernames. I notice there is an option to “Alert when someone is locked out from login”, but no way to separate lockouts that need my attention (like someone who may have forgotten they’ve changed their password) from bogus attempts on nonexistent usernames – I can either get all alerts, or none of them.

    Is there a way to disable these alerts only for bogus logins, and keep the other lockout alerts?

    Rationale: “used a username that does not exist” is not actionable. Therefore, I don’t need to even know about it.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @ellmanncreative, thanks for your message.

    We do often recommend not turning on the “Immediately lock out invalid usernames” option for sites with many public customers/users, such as online stores. However, if you’re only expecting a select few users for a company site (for example), the option is at its most useful. I share your sentiment on password managers, although they may not be as well adopted as they should be, so we do see mistyped usernames frequently occur.

    As for the issue in hand, there is currently not separation between users locked out in the ways you describe so alerts will be a mixture. I am always happy to submit a development request for use-cases such as yours and will do so here for review by the team. We are unable to follow up with progress reports here on the forums, however.

    Many thanks,
    Peter.

    Thread Starter ellmann creative

    (@ellmanncreative)

    Thank you for the reply. Our use-cases are, in the overwhelming majority, company sites with little to no logins and (usually) no user registration, so we’re OK with locking IPs out on even a single mistake.

    Still, it would be good to be able to separate “NX account” from other lockout reasons, so that I could focus on issues that I actually need to take action for. ??

    Thanks.

    Thread Starter ellmann creative

    (@ellmanncreative)

    Okay. I suppose I’ll mark this as “resolved”, since there’s nothing more that needs to be (or indeed can) be done here.

    Thanks.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘“Alert when someone is locked out” – disable alerts on incorrect username?’ is closed to new replies.