NinjaFirewall ineffective against trespassers admin console penetration

Hi,

NinjaFirewall will not prevent someone from logging in if that person has the correct password. In your case, they have the password, otherwise they wouldn’t be able to log in.

What do they do after logging in? Do they have administrator role?

Do you have a multisite installation?

You mentioned that only you is allowed to log in, but why then do you have registration enabled?

I received an email like this:

“Someone just logged in to your WordPress admin console:

-User : XXXXXXX (not in users list)”

I’ve hidden the name in the example. It is followed by the IP address of the person etc.

Even if someone is in the users list in the role of a subscriber, how can they get access to the admin console.

Some such trespassers have not even activated their registration. So, technically, they cannot even log in to the site. But the email notification states otherwise.

I did not check if the person who logged in had the administrator role or not, most probably not. The role was still of the subscriber but I got the email stating that the person has entered the admin console. Do you think this could be a false alarm?

No, I do not have a multisite installation. I do have a forum on the site and the registrations are open to all (but monitored and managed).

So, technically, they cannot even log in to the site. But the email notification states otherwise.

Maybe they don’t really log in, i.e., they could be rejected after the authentication process. That could be an issue with your forum, hooking that process after WordPress and NinjaFirewall.

The best way to find it out would be to:
1. Create a user through the registration process.
2. Do not click on the activation link.
3. Try to log in to the dashboard.

Can you access the dashboard?
Do you receive an email alert from NinjaFirewall?

I did what you asked me to do:

– registered as a user
– did not click on the activation link
– tried to log in to the site

I could not login/access the dashboard (so did not receive the email alert from NinjaFirewall).

I got an error – Your account has not been activated. Check your email for the activation link. If you have not received an email yet, click here to resend it.

I found the trespasser in the “pending” list of users. The user status was “subscriber” and not “administrator”.

But the trespassewr was also able to message me using the BuddyPress messaging system, which is only for the registered and activated members (subscribers).

I also have Wordfence notifications activated on my site. However, it did not send an alert notification regarding this trespassers entry into the admin console (if it did really enter the admin console).

NinjaFirewall detects any successful login, even if the user is not in the users list. That’s why you receive an alert, and that’s a good thing because you know what’s going on. In your case here, you obviously have a bug somewhere in your installation or plugin that allow a pending user to log in.
You would need to check this.
Next time you receive an alert from NinjaFirewall, download your HTTP logs and check all lines that match the IP of the user. That will show exactly how he did.