Title: blocking failed usernames Last modified: March 4, 2026 --- # blocking failed usernames * Resolved [pattycake](https://wordpress.org/support/users/pattycake/) * (@pattycake) * [3 months ago](https://wordpress.org/support/topic/blocking-failed-usernames/) * I have people that have discovered the admin email address and are trying to login using that as a username. I always log in using the admin username, never the email address. Can I add the email address to the firewall blocking and still be able to log in using the username, not the email address? Hate to lock myself out. - This topic was modified 3 months ago by [pattycake](https://wordpress.org/support/users/pattycake/). Viewing 1 replies (of 1 total) * Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/) * (@wfpeter) * [3 months ago](https://wordpress.org/support/topic/blocking-failed-usernames/#post-18841444) * Hi [@pattycake](https://wordpress.org/support/users/pattycake/), thanks for getting in touch, * At present, the email address associated with a valid username can’t be separately considered invalid. * An email address or even WordPress username being exposed isn’t generally considered a security issue, even by WordPress themselves: [https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue) * The best protection is to make sure all admin accounts and those with high level access use a **very strong password** and, ideally, [two-factor authentication](https://www.wordfence.com/help/tools/two-factor-authentication/) to ensure the login attempts don’t succeed. We recommend using a password manager to store and/or generate long complex passwords that are exceedingly difficult to brute force. * If there are a large amount of login attempts coming from a large pool of IP addresses then you can also enable the Google reCAPTCHA feature found on the ** Login Security > Settings** page. * Generally speaking, it’s time consuming and not necessary to implement a manual blocking regime as Wordfence will do all the important blocking for you. You can by all means _decrease_ the amount of login attempts allowed and _increase_ block/lockout times in your [Rate Limiting](https://www.wordfence.com/help/firewall/rate-limiting/) and [Brute Force](https://www.wordfence.com/help/firewall/brute-force/) settings to hours, days, or even months to see if this reduces the noise. * Many thanks, Peter. Viewing 1 replies (of 1 total) You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fblocking-failed-usernames%2F%3Foutput_format%3Dmd&locale=en_US) to reply to this topic. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) * 2 replies * 2 participants * Last reply from: [wfpeter](https://wordpress.org/support/users/wfpeter/) * Last activity: [3 months ago](https://wordpress.org/support/topic/blocking-failed-usernames/#post-18841444) * Status: resolved