Ip's of blocked users attempted login not being blocked

I don’t have any useful info for you, other than I just got notified of the same thing… whoever this person is – they seem to be trying to hack a bunch of WordPress sites:

A user with IP address 173.208.241.106 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 20. The last username they tried to sign in with was: ‘admin’
User IP: 173.208.241.106
User hostname: 173.208.241.106
User location: Kansas City, United States

I submitted an email to the service provider’s abuse address: [email protected]

Hi DavidWiebe,

My concern is that the plugin is not locking him out. Maybe I should take a second look at my settings.

Thank you for the comment

IW

Same here – I’ve got 3 more emails from WordFence that he’s exceeded 20 attempts and has been blocked. I guess it’s only blocked for a while. I’ll have to see if I can block his IP and contact the ISP again.

Hey Guys,

By default Wordfence blocks IPs for a small amount of time. What do you have set for the option Wordfence Options -> Login Security Options -> Amount of time a user is locked out?

Reference: https://www.evernote.com/l/AeGx2yhq9ZRA6o99m2Nc8qbxXbxW8mAwIoY

Hi wflandon,

My settings are as follows:
admin is a blocked user

Count failures over what time period = 1 day
Amount of time a user is locked out = 5 days

In addition, why am seeing these notices, both of the urls listed below are legitimate url and not blocke:
==========================================
United States Miami, United States was blocked: Accessed a banned URL. at https://boatrentalturksandcaicos.com/mobi/boat-rentals/
8/24/2016 10:54:19 AM (1 day 1 hour ago) IP: 66.176.181.171 [block] Hostname: c-66-176-181-171.hsd1.fl.comcast.net
Browser: Safari version 9.0 running on iOS

============================================
United States Warrington, United States was blocked: Accessed a banned URL. at https://boatrentalturksandcaicos.com/areamaps/
8/23/2016 5:43:20 PM (1 day 18 hours ago) IP: 67.165.7.232 [block] Hostname: c-67-165-7-232.hsd1.pa.comcast.net
Browser: Safari version 9.0 running on iOS
Mozilla/5.0 (iPhone; CPU iPhone OS 9_3 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E188a

I realize this is 6mons old, but I don’t see a resolution.

I now have the same problem…
“admin” is listed in the “Immediately Block the IP who try to logon as these usernames” and the attempt is listed and identified as “failed login using an invalid username “admin”, but the IP is not actually blocked and I have to click [block] to manually block.
V?ster?s, Sweden left https://www.agritraction.com/wp-login.php and attempted a failed login using an invalid username “admin”. https://www.agritraction.com/wp-login.php
2/22/2017 1:26:01 PM (25 minutes ago) IP: 217.78.31.206 [block] Hostname: p206.broadband.quicknet.se
Browser: Chrome version 0.0 running on Win7

The same issue appears for attempts that breach a firewall rule. They should be blocked immediately, but I have to click [block] to manually block.
Italy was blocked by firewall for Directory Traversal – wp-config.php in query string: download_backup_file=oldBackups%2F..%2F..%2Fwp-config.php at https://agritraction.com/wp-admin/tools.php?page=backup_manager&download_backup_file=oldBackups%2F..%2F..%2Fwp-config.php
2/21/2017 4:05:15 PM (21 hours 49 mins ago) IP: 37.9.224.130 [block]

Any solutions/ideas on why these items are NOT being immediately blocked as expected?

This issue has been outstanding for nearly a year without a response from the Wordfence team.

If you have a list of usernames that should have their IP Address blocked if someone tries to use this username isn’t working.

This is leading to constant bruteforce attacks where people keep trying stupid usernames like “admin” that are on my list.

I then have to manually go in and block the IP Address.

Why can’t this issue at least be addressed?

@skaye, I am a little confused.. Why would you want all IP’s that happen to try an invalid (or blacklisted) login name to have their IP blocked PERMANENTLY, in addition to already being locked out by their use of a bad username? Personally, I would NOT want that to happen, and would protest loudly if every IP trying a bad username was autoblocked forver.

One thing to realize is that many or most of these attempts are running scripts that arrive on batches of Proxy or VPN IPs. Their are not actually the originating IP-address. The attacker does not use his own IP address.. Just like burglars at your house do not leave their own business cards behind.
In many other cases, the requests could be arriving on dynamically allocated IPs. Think phone-company and in some countries local ISP IPs.. Random and changing DHCP allocation of IPs. Used by Mr. bad guy today, used by Ms. Buy-Pretty-Clothes tomorrow.

That’s why you frequently see the same screwy login name being attempted from IP’s belonging to a multitude of countries at almost the same time. 10-15 countries do not actually decide to attack you at the same time. It is one robotic attack, that COULD be originating as close as your neighbors house, but passing its traffic through Proxy or VPN servers around the world. (Companies like HideMyAss and iPredator sell this type of access in batches of hundreds or even thousands of IP addresses at a time for spammer and hacker use).

So if invalid or brute-force attempts are not blocked by the firewall as attempts, then you have a concern. But you typically don’t really want every single VPN/proxy service blocked individually automatically, as a valid user might arrive on it the next hour.

If a whois shows that the attack originates from a bad IP range (Hertzner hosting, AWS cloud, …), then it is better to simply block the whole range, assuring that all their traffic is blocked. (Valid users do not come out of bad server hosting).
Blocking individual IP’s one at a time because of what is frequently a temporary infraction (IP level speaking) is simply not the way to go about it.

BTW.. That use of Proxies and VPNs is also why country-blocking (blocking a whole country at a time) is typically a poor idea. “Countries” do not attack. People do.
And the ACTUAL, final hacker-user of that set of proxies, spread all over the world, can just as easily sit in your own backyard, or in Canada, as he can in China or Moldovia. And some normal visitors, because they do not understand the realities of proxies and VPN buy or use these services as well.
Either because some fool told them it makes their traffic more secure or secret, or because they are trying to skirt licensing issues. Such as a Canadian/US users wanting to watch British BBC licensed programming by hiding behind a British proxy IP address.

Botton-line, though.. I’ll thank the Wordfence team to not automatically block every IP permanently, just because of a bad username use.

@crudhunter – In Wordfence, there is a feature to immediately block the IP address of users who try to log in using a list of usernames that you provide.

That feature doesn’t work. That’s the point of this whole thread – Wordfence allows you to list out some usernames that if anyone tries to login using those usernames it is to automatically block their IP address.

That feature is not working and it should work because it’s useful. Anyone trying to log into one of my sites with the username of “admin” or “administrator”, I want Wordfence to block their IP because they are trying to brute force my site.

I am sure the Wordfence folks will correct me if I am wrong, and MAYBE they could word the option on the config screen a little more clear as to “Block” versus “Lock out”..

But, if I see it correctly, the “Immediately Block” option is NOT supposed to be a permanent block. It is a temporary Lock Out, where the IP immediately gets blocked for your specified time-period, say 5-10 minutes. Then the LockOut times out again, and that IP is unblocked. By that time, the brute-force is over/given up, or the IP will be locked out yet again when seen.
Effectively preventing brute force from that IP, because it will not reach the login screen again during that period, if it just once uses a “banned” username.

If you look under WordFence -> Blocking, you should, I believe, see the temporary block there, where you have the option to click to make it permanent. But as I already mentioned, typically that is not necessarily a good idea. That same hacker will rarely come back using the same proxy/vpn IP. And if you don’t like that Proxy range, block the range. Not individual, single IPs.

I, for one, would certainly NOT want an automatic option to permanently ban all IP’s individually as they get abused.
Wow.. The expenditure of time your site would use, trying to match all incoming IPs against a block IP table with eventually 100,000s or even millions of individually blocked IPs in it.
Sites would over time slow to a crawl. I guarantee you, that such an option would not end well for any site.

• This reply was modified 7 years, 3 months ago by Caleb.

This feature just doesn’t work at all – not even the way @crudhunter described.

I have a specific username that’s that I’ve added to the list – when someone tries to login with this username their IP address should be blocked.

That’s what the feature in Wordfence says that it does – that’s what it should do.

It doesn’t work at all. I just had a person try to login with a username on the list I’ve identified, 62 times in 13 minutes and their account didn’t get clocked at all, even temporarily. It’s like them trying to use that non-existent username that’s on the list means even the basic brute force lockouts that I’ve set don’t apply.

It would be good if someone from Wordfence would reply to this thread, it’s been open for a year and it doesn’t even get a response. The feature isn’t working – if it doesn’t work, take it out or fix it, just let us know either way.