Blocking by Username Only

  • Resolved Steve

    (@srg-1)


    7 years, 11 months ago

    Hi, our site uses https and is behind a reverse proxy. We currently do not have SSL offloading on the proxy (this is planned), so there is no X-Forwarded-For or similar header that we can use to get the real users IP.

    Is it possible to configure WordFence to block brute-force login attempts by username only, not IP?

    Thank you,
    Steve

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hi Steve,
    I think you mean this option under (Wordfence > Options => Login Security Options => Immediately lock out invalid usernames), however, this increases the risk of locking out real users who may mistype their usernames.

    Thanks.

    Thread Starter Steve

    (@srg-1)

    Hi @wfalaa,

    Thanks for the response and info. I read the link you gave. I still get the impression that this is IP-based lockouts. If my username is “srg” and I mistype “srgg”, does it only lock out the “srgg” account? Meaning, I can still login immediately with the correct “srg” account?

    I think the best solution would be for us to setup ssl offloading on our reverse proxy so that we can get the real IP address of the user.

    Thanks,
    Steve

    Yes, you are correct, it’s only the IP address used during this login attempt that will be locked out from the signing in page and password recovery page.

    I can’t think of any other way to do this unless you get the correct user’s IP address.

    Thanks.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Blocking by Username Only’ is closed to new replies.