Constantly locked out at login despite username existing

Hi @mbwd, sorry to see you’ve had a couple of issues around this.

Under normal operation, the locking out of invalid usernames checkbox only affects usernames that are attempted but also don’t exist in your database. Live Traffic will show the cause at the timestamp you were blocked in red text when expanding the line by clicking it (or using the “eye” icon), just to be certain that another Brute Force or Rate Limiting rule wasn’t being kicked into action instead. Let me know what you see there.

With logging out and being locked out, it seems like something about that process is being flagged as a false-positive so you could try enabling Learning Mode and trying again to teach the site it’s a normal operation. Again, if that doesn’t work, Live Traffic should give the reason as to why the logout at that timestamp was locked out.

I have a nagging feeling that IP detection might also need to be checked as you’ve explained experiencing the same problems with other sites. There does sound like the possibility of blocks for other users/bots effectively applying to you (and everybody else) when they shouldn’t. Check your own public IP address first: https://www.whatsmyip.org.

Head over to Wordfence > All Options > General Wordfence Options > How does Wordfence get IPs and reference the area under that section that says Detected IPs and Your IP with this setting. See if any of the options there when picked accurately reflect your IP. If another one does rather than your current choice, don’t forget to hit the SAVE CHANGES button in the top-right after you’re done.

If you see anything in Live Traffic that you’re not sure how to rectify, or the cause continues to point to the original invalid usernames setting, by all means let me know so we could possibly look into it a little further.

Thanks,
Peter.

Thanks for replying so quickly. I have done a bit more testing, including trying to hit /wp-admin in an Incognito window, and I see that the block is happening then too, even before I have attempted to enter any username or password info. I’m hitting the page and getting blocked immediately.

I do have a Cloudflare rule set that forces a browser check on anyone hitting my login page. It also sets the Security level to “I’m Under Attack”. Is it possible that this rule is triggering Wordfence somehow and causing WF to think I’m an attacker?

Also, one more note–I have never received an unlock email successfully from the WF plugin, on this or any other site I run, unfortunately, but I’ll just focus on this one for now. I never receive the unlock emails. I do have an SMTP plugin installed on the site and am having no email issues from any of the contact forms. I’m the sole admin on the site.

Hi @mbwd, thanks for the extra information.

Can I confirm whether you’ve taken any of the extra steps with getting Cloudflare to work with Wordfence on your site before these issues occurred?

You will most likely select “Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare.” in Wordfence > All Options > General Wordfence Options > How does Wordfence get IPs.

You may also need to update your Cloudflare settings to allow your site to connect back to itself. You should be able to do this by going to your Cloudflare control panel. It’s worth checking all IPs associated with your server first (Find them at Wordfence > Tools > Diagnostics > IP(s) used by this server)

• Login to Cloudflare
• Go to “Firewall”
• Click the “Firewall Rules” tab
• Click “Create a Firewall rule”
• Name the rule under “Rule Name”
• Set the “Field” under “When incoming requests match…” to “IP Source Address”
• Enter your site’s IP address(es) under “Value”
• At the bottom, under “Then…Choose an action” change “Block” to “Allow”
• Click “Deploy

Sometimes also adding our IPs here too can help. For your convenience, all of our IPs can be found here: https://www.wordfence.com/help/advanced/#servers-and-ip-range

Thanks again,
Peter.