incresed number of "User Lockouts"

I’ve noticed a significant increase in attempted logins on a number of my client’s sites over the last week also…. may coincide with the release of a new WP core and hackers hoping to cash-in on perceived vulnerabilities, or it may simply be the normal ebb/flow wave of hacker activity over time.

If you’re not using an Admin account (called Admin), then add it to Wordfence’s “Immediately block the IP of users who try to sign in as these usernames” section in the Wordfence options.

@s0litaire

The fact that there are users being locked out for having invalid usernames is nothing to be worried about.

It just means that Wordfence is doing what it is meant to be.

You can add in additional usernames to automatically block as well, test, editor, webmaster as well as the site url name etc.

https://docs.wordfence.com/en/Wordfence_options#Immediately_block_the_IP_of_users_who_try_to_sign_in_as_these_usernames

Thanks just a bit worrying

They have moved on to trying to login using the non-existent user name ‘test’ so it’s just very annoying getting 200+ emails since i first posted this.

Also I’ve no “generic” (i.e. admin, test, default, editor, administrator, webmaster, user1 etc…etc…) user names in my database.

So I guess it’s just a case of waiting it out and keeping things upto date.

^_^

One of the excellent things about Wordfence is it is making all of us aware of how a good part of internet bandwidth has been taken over by criminals and their bots. This is something that’s been behind the scene and often not noticed by people publishing websites, until they got hacked, anyway. My hope is this visibility will eventually lead to more activism on the part of us victims and potential victims.

Meanwhile, remember that with Worfence, if you have opted into the “real time security network” a lot of stuff is being blocked before you see it. In my opinion, what you do see and has slipped past the “Real time security network,” is traffic that I believe Wordfence could do a better job of blocking, by incorporating more block lists initially, such as spamhaus.org.

So we’ll see how it all evolves. My dream is a day I don’t see anything in the Wordfence “Blocked IPs” during my once or twice daily checks.

I’d like to see Zero Day redefined not as yet another way a criminal can ruin my life, but rather the day Wordfence shuts down all WordPress attack bot traffic. Could happen, if we all work together towards that common goal.

Regarding those emails, if you’re getting that many I’d advise rate limiting your email notifications and just checking your Wordfence block list now and then.

MTN

Just getting annoying now!

They are changing the user names in attempt to log in. (looks like at least 2 separate scripts are attempting to gain access going by the timings of them.

I’ve temporarily changed the login page to another name (and edited the wp-login.php to accommodate the changed name!) and xmlrpc.php file.

I can still log in as the administrator rights user and everything is fine so far.

It’s only a temp fix (I know it’s an ugly terrible way to do it but it’s just a test). I’ll replace the original back in a few hours, just to see if they give up.

Well, don’t obsess on it but it’s a good learning experience! MTN

Looks like I’ll have to stop the wordfence notification messages.

After removing the log-on for 12h i have just replaced it and they are starting again.

I blame myself. ?? I’m currently using GoDaddy hosting. lol! 8D

I’m planning on moving to a Digital Ocean server that I’ve already using for another site, quite soon. So it looks like I’ll be doing the migration a lot sooner than expected!

Here’s what I did since there are only 2 people who need access to the backend of the site.

I have enable the following in the OPTIONS tab of WF:
– Immediately lock out invalid usernames
– Don’t let WordPress reveal valid users in login errors
– Prevent users registering ‘admin’ username if it doesn’t exist
– Prevent discovery of usernames through ‘/?author=N’ scans and the oEmbed API

– I have also set the lock out to 60 days.
Also MTN suggested a plugin to mask the login page (rename it). I use one called Hide-My-WP. This is a paid app that also masks that you have WP and WP theme.

Seems to be working for me …

I have those settings already, except i only lock them out for 2 weeks.

The initial flurry of login attempts, when i put everything back, seems to have stopped. Not had any in the past 8 hours. Looks like it’s over for now.

I’m the only user on the system and can connect via ssh direct to the server if required.

Might look into getting a login page mask plugin if it happens again.

I’m on a tight budget (i.e. Zero $￡€!) so i’ll check out the free plugins for changing the login page.

thanks for the info.

Hey s0litaire,

You might try using the WPS Hide Login plugin for changing the login url. We don’t officially recommend a plugin for this functionality, but I believe this is the one that mountainguy2 uses and it seems to play nice with Wordfence. Keep in mind this isn’t really a fix, but it may lower your login attempts.