Invalid User Locked Out

  • Resolved adrian33000

    (@adrian33000)


    10 months, 1 week ago

    I have been receiving consistent notifications like this:
    A user with IP address 2800:810:458:18c3:8d1f:5512:fa42:cfe7 has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username ‘test01’ to try to sign in.

    This is very strange, as the username used is either this one or an regular alternative, and the locations are from various countries so I assume the person is using a VPN to avoid the 2 month lockout. But that is not all that is confusing. I use a plugin that stops access to the WP login (wp-admin or wp-admin/admin.php) to gain access to this the person needs to know what to include after the website name. In this case the site is repdomwebs.com so to get to the login screen there is a /********* required. If you try just the site URL/wp-admin you are sent to a 404 page saying this does not exist. It seems clear that someone is actively trying to login to the site and the use of consistent invalid usernames indicates the same person or bot is doing this. But I don’t understand how they are finding the login page as I have changed the required extension and without that it should not be possible.

    Any suggestions or other means to stop this would be appreciated. They are always blocked but it is just annoying to constantly receive this notice sometime 2 or 3 times a day.

    Thanks

    Adrian Head

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support wfpeter

    (@wfpeter)

    10 months, 1 week ago

    Hi @adrian33000,

    They are most likely to be automated attempts, which I’m glad to see are being blocked. As Wordfence is an endpoint firewall, the request needs to reach the site before it decides whether it should be blocked/throttled so you’ll still see the visits in your Live Traffic even if they were immediately dealt with before any site content was served.

    I would say the circumstances of an altered login URL suggest the attempts aren’t made using the front-end of your site. Disabling XML-RPC (if you’re able to) is always a good idea if you haven’t already. You can also prevent XML-RPC authentication in our Wordfence > Login Security > Settings page.

    If you’re not using Jetpack or the WordPress app, try disabling access to XML-RPC altogether via your .htaccess file with:

    # Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

    Many thanks,
    Peter.

    Thread Starter adrian33000

    (@adrian33000)

    10 months, 1 week ago

    Hi Peter

    Many thanks for this. I am inclined to agree that it seems unlikely that these login attempts are coming via the front end.

    For now, I have activated the option to disable XML-RPC in Wordfence and will monitor the result to see if that puts a stop to the attempts. If that does not work I will then add the suggested code to the .htaccess file which I can do from the server. For now fingers crossed!

    Thanks Adrian

    Plugin Support wfpeter

    (@wfpeter)

    10 months, 1 week ago

    Absolutely @adrian33000, and no worries. Let us know how you get on!

    Peter.

    Thread Starter adrian33000

    (@adrian33000)

    10 months ago

    After more than a week, there have been no further login attempts that prompted this question so it looks as if the option to disable XML-RPC in Wordfence has worked successfully.

    So many thanks Peter. I am closing this thread as resolved.

    Adrian

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Invalid User Locked Out’ is closed to new replies.