Title: Testing WP_FAIL2BAN_BLOCK_USER_ENUMERATION
Last modified: August 30, 2016

---

# Testing WP_FAIL2BAN_BLOCK_USER_ENUMERATION

 *  Resolved [nh905](https://wordpress.org/support/users/nh905/)
 * (@nh905)
 * [10 years, 6 months ago](https://wordpress.org/support/topic/testing-wp_fail2ban_block_user_enumeration/)
 * Great plugin! Solves one of my major concerns about WordPress.
 * I successfully installed the plugin to log all login attempts. I also enabled
   and tested the feature to block logins to the ‘admin’ user. I am having trouble
   with the WP_FAIL2BAN_BLOCK_USER_ENUMERATION feature. I included `define('WP_FAIL2BAN_BLOCK_USER_ENUMERATION',
   true);` in wp-config.php but see no error messages if I access my site using “
   [http://<WPsite>/?author=<n>&#8221](http://<WPsite>/?author=<n>&#8221); where‘
   n’ is both a valid id and a non-existent id. Am I missing something obvious?
 * Thanks, Norbert
 * [https://wordpress.org/plugins/wp-fail2ban/](https://wordpress.org/plugins/wp-fail2ban/)

Viewing 6 replies - 1 through 6 (of 6 total)

 *  Thread Starter [nh905](https://wordpress.org/support/users/nh905/)
 * (@nh905)
 * [10 years, 6 months ago](https://wordpress.org/support/topic/testing-wp_fail2ban_block_user_enumeration/#post-6815697)
 * Using print_r calls before the ‘add_filter’, I confirmed that WP_FAIL2BAN_BLOCK_USER_ENUMERATION
   is defined and has a value of ‘1’. I also confirmed that the ‘author’ value is
   properly set in $_GET. However, I do not see any output from print_r calls after‘
   add_filter’ and before the test for integer ‘author’ values, as though the hook
   is either not being set up properly or the filter function is not being called.
   I am testing the user enumeration feature using
    `http://<domain>/?author=2`
 * Thanks, Norbert
 *  Plugin Author [invisnet](https://wordpress.org/support/users/invisnet/)
 * (@invisnet)
 * [9 years, 11 months ago](https://wordpress.org/support/topic/testing-wp_fail2ban_block_user_enumeration/#post-6815963)
 * I’ve re-tested this for 3.0.2 and it’s working as expected. My guess is you’ve
   got another plugin that’s getting in the way.
 *  Thread Starter [nh905](https://wordpress.org/support/users/nh905/)
 * (@nh905)
 * [9 years, 11 months ago](https://wordpress.org/support/topic/testing-wp_fail2ban_block_user_enumeration/#post-6815964)
 * I will upgraded to 3.0.2 and re-test.
 * Thanks, Norbert
 *  Thread Starter [nh905](https://wordpress.org/support/users/nh905/)
 * (@nh905)
 * [9 years, 11 months ago](https://wordpress.org/support/topic/testing-wp_fail2ban_block_user_enumeration/#post-6815965)
 * I upgraded the WP-fail2ban plugin and disabled all other plugins. When I visited
   the domain as [http://<domain&gt](http://<domain&gt);?author=2, the nodes associated
   with that user were displayed with the user name showing in the tab. Nothing 
   was logged to /var/log/secure. My wp-config.php contains:
 *     ```
       // 20151204 direct WP fail2ban messages to /var/log/secure
       define('WP_FAIL2BAN_AUTH_LOG',LOG_AUTHPRIV);
       // 20151204 block user enumeration
       define('WP_FAIL2BAN_BLOCK_USER_ENUMERATION',true);
       // 20161012 block all but xxx*, yyy* or zzz*
       define('WP_FAIL2BAN_BLOCKED_USERS','^(?!.*(xxx|yyy|zzz)).*');
       ```
   
 * Trying to login with an unexpected username does log to /var/log/secure, so that
   part is working.
 * Any suggestions on further debugging? I am running WordPress 4.2.9 on my test
   system and will be upgrading. Should I remove the code from the other plugins
   from the /plugins directory?
 * Thanks, Norbert
 *  Plugin Author [invisnet](https://wordpress.org/support/users/invisnet/)
 * (@invisnet)
 * [9 years, 11 months ago](https://wordpress.org/support/topic/testing-wp_fail2ban_block_user_enumeration/#post-6815966)
 * I can only think that it didn’t work with 4.2.x; I know I tested it (I keep a
   log), but maybe I missed something or maybe your install has a problem. Either
   way, this isn’t something that will benefit from further guessing.
 * Once you’ve upgraded to the latest version (4.5.3 at the time of writing) post
   back here, either way. I deliberately keep things simple in the plugin to avoid
   weirdness, but I’m genuinely curious about this one.
 *  Thread Starter [nh905](https://wordpress.org/support/users/nh905/)
 * (@nh905)
 * [9 years, 11 months ago](https://wordpress.org/support/topic/testing-wp_fail2ban_block_user_enumeration/#post-6815967)
 * Hi Charles, I have finally had a chance to refresh the test site. I am now running
   WordPress 4.5.3 with wp-fail2ban 3.0.3. Plugins Akismet, Bulk Comments Management,
   Loimit Login Attempts, Newsletter, Uber Login Logo, WordPress.com Stats and Yoast
   SEO are installed but deactivated. User enumeration blocking is still not working
   for me.
 * I added the following debug statements:
 *     ```
       if (defined('WP_FAIL2BAN_BLOCK_USER_ENUMERATION') && true === WP_FAIL2BAN_BLOCK_USER_ENUMERATION) {
       print_r("Initialise function: WP_FAIL2BAN_BLOCK_USER_ENUMERATION=");
       print_r(WP_FAIL2BAN_BLOCK_USER_ENUMERATION);
                       add_filter( 'redirect_canonical',
                                               function($redirect_url, $requested_url)
                                               {
       print_r("Entered function: author=");
       print_r(@$_GET['author']);
                                                       if (intval(@$_GET['author'])) {
       ```
   
 * If I go to [http://<domain>/?author=2](http://<domain>/?author=2), I see “Initialise
   function: WP_FAIL2BAN_BLOCK_USER_ENUMERATION=1” and the content posted by user
   2 but I do not see the next set of print_r statements triggered. I verified that
   the code blocking specific users is being triggered.
 * I am running PHP 5.3.3 on CentOS 6.8 with Apache 2.2.15. The WordPress site runs
   behind CloudFlare – I run mod_cloudflare so that Apache sees the originating 
   rather than the proxy IP address.
 * Is there anything else I can check to help narrow down what the problem might
   be?
 * Thanks, Norbert

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Testing WP_FAIL2BAN_BLOCK_USER_ENUMERATION’ is closed to new replies.

 * ![](https://ps.w.org/wp-fail2ban/assets/icon-256x256.png?rev=2814701)
 * [WP fail2ban - Advanced Security](https://wordpress.org/plugins/wp-fail2ban/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wp-fail2ban/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wp-fail2ban/)
 * [Active Topics](https://wordpress.org/support/plugin/wp-fail2ban/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wp-fail2ban/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wp-fail2ban/reviews/)

 * 6 replies
 * 2 participants
 * Last reply from: [nh905](https://wordpress.org/support/users/nh905/)
 * Last activity: [9 years, 11 months ago](https://wordpress.org/support/topic/testing-wp_fail2ban_block_user_enumeration/#post-6815967)
 * Status: resolved