Feature Request: Switch off email if "Immediately block IP.. as these usernames"

Thanks for the great idea. I’ve entered this as a feature request in our internal tracking system and hopefully it can be included in a future release. While I cannot promise that every suggestion we get makes it into a release, or when that might be I can tell you that every suggestion we get is evaluated carefully and considered seriously. We value the input we get from our customers. A member of our dev team may or may not reach out to you here to ask for more detail. Thank you for helping to make WF great.

tim
FB866

As an alternative to above suggestion there could also be a setting to send notification email only in case of a valid username.

So many dumb bots are around these days, they keep trying and trying…

I have added this alternative to the original feature request. Thanks for the suggestion!

Thanks.

Some sort of “filter” feature for notifications seems to be really necessary given the flood of “dumb bot” emails everybody is seeing these days.

I agree.

I use the aggressive option “Immediately lock out invalid usernames”. Thus, I receive mails for every dummy attempt of usernames like admin, administrator, test, and so on.

It would be nice to have the option to avoid notifications for some specified user names, or just only receive notifications for attempts on existing users.

This is all in our system now for the dev team to evaluate, so I’m going to mark this post as resolved.

Thanks for the additional input!

-Matt R
FB866

Please mark it as resolved as soon as the feature is released, thanks.

Can you estimate if/when a filter-feature as described will be added to WordFence?

Some days we get hundreds of emails from customer sites every 24h (login-block set to 1 day), obviously from botnets which attack a site from different IPs at almost the same time, anonymized examples for “admin” including timestamps below, other names are sometimes tried as well.

It is a lot of work to filter these emails manually for legitimate users (with other usernames) who locked themselfes out.

Site #1, blocked for using “admin”:

User IP: 80.82.64.10X at 07:17:29
User IP: 185.100.86.6X at 07:17:24
User IP: 5.9.36.6X at 07:17:24
User IP: 81.7.17.17X at 07:17:22
User IP: 195.154.15.22X at 07:17:05
User IP: 89.234.157.25X at 07:17:04

Site #2, blocked for using “admin”:

User IP: 81.89.0.19X at 06:32:42
User IP: 95.130.15.25X at 06:32:40
User IP: 95.211.101.23X at 06:32:37
User IP: 192.42.116.1X at 06:32:18
User IP: 46.166.179.4X at 06:32:18
User IP: 85.10.211.5X at 06:32:14
User IP: 5.196.228.9X at 06:32:14

No, sorry, there is no estimate for when this would be done if it is implemented, yet.

You might be able to reduce the email volume by unchecking the option “Alert when an IP address is blocked”, but keeping the option “Alert when someone is locked out from login” enabled.

Most real users will get “locked out” (from logging in only) by trying a username/password too often, while bots using bad usernames will get “blocked” (from the whole site) instead. If there isn’t any manual action you take for “blocked” IPs, that could cut down the emails quite a bit, while still letting you get the lockout emails that would be a mix of good and bad users.

The next time you have a real locked-out user, you can check to make sure they’re on the second tab (“IPs that are Locked out from Login”) on the Blocked IPs page, and see also if the bots getting blocked for bad usernames are on the first tab — I hope this helps for now.