is WF really working ?

  • anonymized-14293447

    (@anonymized-14293447)


    8 years, 7 months ago

    I have set my WF so that one is blocked after just one attempt; as a matter of fact, I also got a code in htaccess that hides wordpress login page to everybody except my IP. Yet I keep receiving login alerts, and today I even got one saying that someone who has administrator access signed in…. he had my username and his IP is out there in Russia.
    I’m not sure that WF is doing the job fully. Can you advice?

Viewing 5 replies - 1 through 5 (of 5 total)
  • superkot

    (@superkot)

    8 years, 7 months ago

    Are you sure you have login page blocked in htaccess? It would not be possible to bypass that. It should be like

    <files wp-login.php>
order deny,allow
deny from all
allow from xxx.xxx.xx.xx
</files>

    Make sure you dont have alternative ways to login. For example, if you have Woocommerce, users (and ‘admins’) can login via Woocommerce form, without using wp-login page.

    Thread Starter anonymized-14293447

    (@anonymized-14293447)

    8 years, 7 months ago

    I do have that code block listed first in my .htaccess, because I’m still building the site. It is true that my IP strangely changes now and then, even if I’m connected via cable into the modem.
    Yet, does it mean that once the site is finished and I’ll disable that code I’ll be at risk ?

    wfalaa

    (@wfalaa)

    8 years, 7 months ago

    Hi @arsenalemusica
    Another login method in WordPress is using XML-RPC, which might be preferred by attackers in certain parts of the world.

    Please check this article to know more details about XML-RPC and whether you need to block it or not, knowing that all the options adjusted in “Login Security Options” will be applied to login attempts via XML-RPC as well.

    May I ask if the timestamp of this “admin” login attempts matches with any of your login attempts or not? also, are you sure “How does Wordfence get IPs” option is set correctly? when you go to (Wordfence > Tools > Diagnostics > IPs) you can see your current IP there?

    Thanks.

    Thread Starter anonymized-14293447

    (@anonymized-14293447)

    8 years, 7 months ago

    I confirm in Diagnostic I see my current IP. Also, I wouldn’t try to enable XML-RPC because I do have some APIs linked to Apps. It might be that I overlooked the time-stamp, I’ll investigate that further.
    Yet, what concerns me most is the fact that my login page is hidden but still I see failed attempts to login. If they failed it means they tried, therefore it means that login page is visible.

    Thread Starter anonymized-14293447

    (@anonymized-14293447)

    8 years, 6 months ago

    There it goes, a hole in WF !
    I got an email “A user with username xxx deactivated Wordfence on your WordPress site.” so I went into the site and discovered that WF and my Maintenance plugin were disabled. Moreover, in Admin profile there were all name/address/… fields filled in. There were also some username guesses in the “public name” field probably stored in a cache.
    My login attempt always set to 1, I have htaccess to hide login page except to my IP, I even have the site under-costruction, yet people can still manage to attempt usernames.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘is WF really working ?’ is closed to new replies.

  • 5 replies
  • 3 participants
  • Last reply from: anonymized-14293447
  • Last activity: 8 years, 6 months ago
  • Status: not resolved