Reducing mail alerts for brute force attacks

  • Resolved maltmann

    (@maltmann)


    7 years, 8 months ago

    Hi,
    I really love the plugin due to it’s overwhelming amount of checks and features. It does an incredibly great job, so I use it on several sites to my very best satisfaction.
    Its mail alerts are an effective way of informing me of possible security problems on my site.

    However, during a wave of brute force attacks I get tons of mails stating “A user with IP addr […] has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username ‘[…]’ to try to sign in.”, referencing to invalid usernames, e.g. <domain>, <domain>admin, admin<domain>, …

    Only today, I got 400 mails up to now.
    And unfortunately, this makes it impossible to be on alert for really serious problems.

    SURE, I want to receive alerts concerning my website.
    SURE, I want to receive them promptly and in time to take possible actions, e.g. if a real user has been blocked due to wrong password by mistake.

    But I don’t want to be alerted about every single obvious brute force caused block.

    Beside the “user has logged in” and “admin user has logged in”, I could only find a setting to globally limit other alert mails to X per hour.

    I would appreciate a more differentiated setting here, e.g. for this case
    – Do not alert on ‘login attempt using invalid user name’
    – Collect ‘login attempt using invalid user name’ to X per hour

    Any chance to get that on a future feature list?

    Thanks,
    Matt

    • This topic was modified 7 years, 8 months ago by maltmann. Reason: typo
    • This topic was modified 7 years, 8 months ago by maltmann. Reason: typo
Viewing 4 replies - 1 through 4 (of 4 total)
  • wfasa

    (@wfasa)

    7 years, 7 months ago

    Hi @maltmann,

    Thanks for the feedback, happy to hear you find Wordfence useful!

    I would recommend you disable the “Alert when someone is locked out from login” completely. Getting just one of those alerts wouldn’t be very useful as it would be a random one out of hundreds or what do you think?

    Thread Starter maltmann

    (@maltmann)

    7 years, 7 months ago

    Thank you, @wfasa, for your answer.
    I was aware of that option.

    However, I sure want to be alerted when someone tried to log in using an existing user name. Having a look at the IP address and location (great!) I’m able to detect if it’s one of my real users, who failed to log in and has now being blocked. So I can take actions to support him, unblock him…

    My request was more towards a more differentiated option to be alerted e.g. on failed login attempts using existing user names and non-existing user names.

    Any chance to get such a feature in a future release?

    Thanks,
    Matt

    wfasa

    (@wfasa)

    7 years, 7 months ago

    Hi again!
    Thanks for elaborating. I understand. It makes sense to me that you might only want alerts for login attempts that were using a valid username. I can’t make any promises of if or when it will be implemented but I’ll forward your feature request to the team for consideration.

    Thanks for the feedback!

    Thread Starter maltmann

    (@maltmann)

    7 years, 7 months ago

    Thank you very much!

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Reducing mail alerts for brute force attacks’ is closed to new replies.