Numeric username not blocked

  • Resolved anfuca

    (@anfuca)


    3 months, 3 weeks ago

    Hi,
    I’m receiving a lot of bot attacks attempting to loggin using an username that only contains numbers. For example, something like: 65128374

    I’ve included that username into the list of forbidden usernames to try to block automatically when someone tries to log in with it, but it isn’t working. I’ve added using quotes too “65128374” or ‘65128374’ but it isn’t working.

    I have other words as admin, wwwadmin that are working perfectly, but this with this specific number, not.

    Thanks

Viewing 4 replies - 1 through 4 (of 4 total)

  • Great topic! Let’s see what Team Wordfence’s reply is.

    Wordfence’s documentation states: “Any username … ” can be used.

    We conducted a test using only numbers as a username and Wordfence DID NOT block it.

    To verify the feature works, we then used one of our commonly-blocked usernames (i.e., admin) and Wordfence DID block it.

    Cheers!

    Plugin Support wfpeter

    (@wfpeter)

    Hi @anfuca, thanks for reaching out about this.

    I’ve just added the precise numeric username you mention above to my site, as part of a list of other alphabetical and alphanumeric usernames for consistency (just in case having a mixture was important). I was successfully blocked when trying to use it with Live Traffic giving Blocked by login security setting as the reason, as expected when the Immediately block the IP of users who try to sign in as these usernames setting is the deciding factor.

    The only occasion this setting might be ignored is when the username matches an existing user on your site, the SAVE CHANGES button hasn’t been used on the All Options page, or caches in place on your site/server/database are still loading the pre-change settings.

    Failing that, if you don’t have a large number of users, Immediately lock out invalid usernames could be checked in an attempt to deal with the randomly picked usernames. However, this is generally against our recommendations for online stores, forums, etc. where common mistakes like mistyping a username will result in unwanted blocks for your own users.

    Let us know if you observe anything else or nothing seems to change when trying the above,
    Peter.

    Hey @wfpeter,

    We re-tested our login capabilities using an all-numeric username.

    As it turns out, yes, the all-numeric username was blocked by Wordfence but ONLY after we attempted to enter a password (not before) in our login panel.

    So, the question is: Shouldn’t Wordfence detect and block the all-numeric username BEFORE the password is entered?

    In any case, yes, the blocking feature using any username works as intended.

    Great topic. As always, thank you for your help and dedication to this forum.

    If you ask me, this topic can be closed as “Resolved.”

    Cheers!

    Thread Starter anfuca

    (@anfuca)

    Thanks for the responses.

    Yes, the user exists (and bots where finding it through API). After deleted the user and hiding the user discovery through API, no more bots attack received using that numeric user.

    Topic resolved. Thank you very much for the support!

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.