User lockout for invalid username – but it isn’t invalid

  • Hi,
    I have a user who has been locked out by Wordfence. I received an email telling me they were locked out from signing in and from password recovery because they used an invalid username to try to sign in. ( 4 hour lockout )
    That all sounds fine except that the username the email quotes, is perfectly valid and the user is a genuine user.

    So what has actually caused the lockout?

    I did check the id on the haveibeenpawned site, as per the trouble shooting guide. That userid is reported there. So is this the reason?
    If it was then I would expect Wordfence to send a different email as I have “Alert when someone is blocked from logging in for using a password found in a breach” enabled.

    I’m not complaining about the lockout itself more that I need more clarity in the notifications/logging so that I can respond to the user when they phone up complaining!

    Many thanks
    Alan

Viewing 2 replies - 1 through 2 (of 2 total)

  • Hey @alanjacobs,

    Can you please share a screenshot of the lockout with the expanded Details in Wordfence > Lve Traffic? This might give us a better clue as to what’s happened.

    Please let me know.

    Thanks,

    Gerroald

    Thread Starter alanjacobs

    (@alanjacobs)

    Hi, would prefer not to as it would include userids, emails and Ips.

    Looks like the user tried to login with their userid, but failed. I see from iThemes that this was due to incorrect password.
    User then tried logging in using their email address but this was flagged as an invalid userid.

    I suspect that they again tried the wrong password. If so no problem with them being locked out.

    But obviously it would help if the messages were more helpful.

    Cheers
    Alan

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘User lockout for invalid username – but it isn’t invalid’ is closed to new replies.