Direct ban with username login doesn’t work?

  • Resolved Jellico

    (@catsfoto1se)


    5 years ago

    I’ve seen a lot of attacks via the xmlrpc.php, and the log says (live traffic) says:

    `Clifton, United States attempted a failed login using an invalid username “[login]”. https://example.org/xmlrpc.php

    Now to my issue, if I have specified [login] (and login to be safe) as a “direct block” username, why don’t they get blocked?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter Jellico

    (@catsfoto1se)

    No one?
    Isn’t this a bug?

    Plugin Support wfscott

    (@wfscott)

    @catsfoto1se

    Thanks for writing in, and sorry for the delay.

    If the password field is left blank during a request/attempt, live traffic can report an attempted “failed” login using the invalid username. If the password field contains any characters, the block will be made if the site is configured correctly.

    If you would like to send me over your site’s URL via email ([email protected]), let me know here and I will test for you to be sure the blocking is working as expected.

    Thanks,
    Scott

    Thread Starter Jellico

    (@catsfoto1se)

    Hi, thx for answering, I can understand that’s many are asking questions, and it takes time to answer us all.

    The blocking for bad usernames works otherwise..

    Let me see if I understand this correctly, if somebody just enter a name, and not any password,(leave the password field empty) it would not count as a failed login and not be blocked ?

    Sorry for asking so much, I’m trying to understand what kind of attacks attempt this is, like what’s the point?

    Plugin Support wfscott

    (@wfscott)

    Glad to hear the usernames are otherwise getting blocked during true attempts.

    That is correct — an attempt like what we discussed (empty password) would not be blocked, though, Live Traffic would report it as an attempt with an invalid username.

    How frequently are you seeing these sorts of logs in the Live Traffic? Have there just been a few?

    Thread Starter Jellico

    (@catsfoto1se)

    At the moment it’s pretty quiet, but last week there was 1 try every 5 minutes from different countries, about 4000 attempts (1 every 5 min in two weeks), so somebody was up to something, but I have no idea what they where up to..

    • This reply was modified 5 years ago by Jellico. Reason: Lost last 4 words
    WFGerroald

    (@wfgerald)

    Hey @catsfoto1se,

    Thanks for the update, and happy to hear that it is quietened down. These attacks can be pretty random. After X amount of with being unsuccessful, they usually move on. There’s only so much we can do to prevent attacks, it’s more about making sure they aren’t successful, which it sounds like Wordfence is helping with.

    Please let us know if anything else comes up.

    Thanks,

    Gerroald

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Direct ban with username login doesn’t work?’ is closed to new replies.

Tags