user able to log in when they should have been blocked

  • Resolved amiya1672

    (@amiya1672)


    3 years, 1 month ago

    Hi,

    Just something that is worrying me the last few days. So what happened was I hired an editor to proofread my articles. She reported that her access was restricted. It appeared to be her access was blocked by Wordfence because she exceeded the number of log attempts (an alert email was received). The lockout time I set up is 1 day. But it seemed like she was able to log in before the 1 day period.

    So my question is, are there any loopholes to the lockout function? For example, if she uses things like OnePass or other kinds of password management software, will it bypass the Wordfence firewall?

    Kind Regards,
    Lily

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @amiya1672, thanks for getting in touch.

    Please ensure that the Wordfence > All Options > Brute Force and Wordfence > All Options > Rate Limiting are switched to “ON”. Not all blocks are affected by the “Amount of time a user is locked out”, however.

    You can check to see why this user was blocked by looking at Wordfence > Tools > Live Traffic, then filtering Blocked/Locked Out/Logins and Logouts you should be able to see times, location/IP and the reason.

    Let me know if you have any further questions about what you find!

    Peter.

    Thread Starter amiya1672

    (@amiya1672)

    Hi @wfpeter , thanks for getting back to me.
    Yes, both are on.
    Can I just clarify, when you said “not all blocks are affected by the amount of time a user is locked out”, do you mean a user that is supposed to be locked out and shouldn’t be able to log in can still log in within the log out timeframe?
    So say a user was locked out for a day because of repetitive failed login attempts, it is possible that he or she can still log in after 10 minutes being locked out?
    I’m just a bit confused about blocks and locked out now.

    Kind Regards,
    Lily

    Plugin Support wfpeter

    (@wfpeter)

    Hi @amiya1672, thanks for your reply.

    When somebody is blocked due to a WAF rule, they aren’t assigned a block expiration time so never appear on the Firewall > Blocking page. However, if they are specifically blocked due to a rate limiting or brute force rule you have set, they should be blocked for the time periods specified in those sections of your All Options page.

    You can tell the reason they were blocked from Live Traffic so can point directly to whether it was a firewall rule, Rate Limiting or Brute Force setting that “caught” them. If they input an invalid username, tried a wrong password too many times and were able to access the site before their block was meant to be lifted, please feel free to provide screenshots using a service like Snipboard. You can obscure sensitive information after uploading, and it would be most helpful to see the Live Traffic entry along with the time settings that should have applied to them from your All Options page.

    Thanks again,

    Peter.

    Thread Starter amiya1672

    (@amiya1672)

    Hi @wfpeter ,
    Thanks for getting back to me.
    I don’t have screenshots that can prove that she actually logged in within the 1 day lock-out period, so I’m just including a screenshot of her message to me in the below google doc link.
    The weird thing is, I can never see her logging into Wordfence anymore since her first login on the 19th of Oct. Supposedly, she was locked out, and when she logged back in, there should be a record, but it’s nowhere to be found.
    Please find below the link to Google doc that I have including some screenshots for your reference.

    Her user name is HanaN.

    https://docs.google.com/document/d/1X9aPssAuJoQJ6YPWOMzddyeAUlT1pGgSmSUkNTcbIsE/edit?usp=sharing

    Kind Regards,
    lily

    Plugin Support wfpeter

    (@wfpeter)

    Hi @amiya1672,

    If Wordfence > All Options > Brute Force > Amount of time a user is locked out and Wordfence > All Options > Rate Limiting > How long is an IP address blocked when it breaks a rule? are set to low timescales such as minutes or hours, you may never see them on any blocked list as they’ve already been removed when you check. You can try increasing these to days or months if you prefer. Naturally, make sure both Brute Force and Rate Limiting toggles are set to ON for these rules to work. There’s also some good information on recommended settings and what everything does if you follow the links I’ve provided.

    If you wish to share your values in those two sections of Wordfence > All Options here with me, I could see how they might have affected the user’s access shown in your previous Live Traffic screenshot.

    Thanks again,

    Peter.

    Thread Starter amiya1672

    (@amiya1672)

    Hi @wfpeter
    Thanks for getting back to me.
    I have included the screenshots of the two sections in the google doc. Settings haven’t been updated since the issue was identified.

    Kind Regards,
    Lily

    Plugin Support wfpeter

    (@wfpeter)

    Hi @amiya1672,

    Your settings don’t look too restrictive or like they’d cause an issue for other users. I notice the login failures setting is 3, so the 2 “failed login” attempts seen in Live Traffic in quick succession seems to be within the parameters of what is allowed without a full block on that user’s IP for 1 day. I would expect the settings to be called into question if you saw 4 or more “failed login” entries for a single user on a single IP in Live Traffic before the 1 day period was over.

    It’s also positive to see they got their password wrong, then rectified it, so were able to relay to you it was a user-input error rather than the site or script errors.

    Thanks,

    Peter.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘user able to log in when they should have been blocked’ is closed to new replies.