Attackers attempting to recover pw of deleted admin users

  • Resolved marahman.b2b

    (@marahmanb2b)


    2 years, 8 months ago

    Hi,
    Every day attacker attempts to admin access from different countries, and am getting 100+ login attempts email notifications as below, where such admin users been deleted long back.
    (

    This email was sent from your website "" by the Wordfence plugin at Saturday 16th of July 2022 at 07:59:24 AM
The Wordfence administrative URL for this site is: https://xxx.com/wp-admin/admin.php?page=Wordfence
A user with IP address 201.242.227.121 has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username 'shazza1' to try to sign in.
The duration of the lockout is 5 minutes.
User IP: 201.242.227.121
User hostname: 201-242-227-121.genericrev.cantv.net
User location: Venezuela

    )

    How to stop such attempts?
    Currently the site is updated on WordPress, plugins, and themes.
    I set the blocking setting as https://prntscr.com/B58JcMhmXiMR https://prntscr.com/l-nCXce0GG3h

    But still, attempts are continuous… need a solution to this…

Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @marahmanb2b, thanks for reaching out to us!

    The “user-agent” of a browser is, in short, the type of browser or interface accessing your website such as Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0

    I believe you’re looking for the feature in Wordfence, “Immediately block the IP of users who try to sign in as these usernames” in Wordfence > All Options > Brute Force Protection. However, adding usernames to this section is mainly useful if you’re finding a high amount of cases where a bot or human is attempting to sign in repeatedly with the same username, just to help stem the flow of a specific problem for a specific site. When you get one-off attempts, this is not usually necessary.

    Wordfence, and WordPress’ for that matter, main recommendation would be to enable 2FA (at least for administrators) and reCAPTCHA for all users for maximum protection. Our Brute Force and Rate Limiting options along with the inbuilt firewall rules & lists of known ‘bad’ IPs/hostnames should protect your site well without having to take too much custom action.

    Thanks,

    Peter.

Viewing 1 replies (of 1 total)
  • The topic ‘Attackers attempting to recover pw of deleted admin users’ is closed to new replies.