[Defender] Block Login attempts by username as well as IP

When we transitioned over to WPMU Dev subscription we replaced WordFence on our sites with Defender.

One of the features they had which we cannot find in Defender is the ability to immediately timeout or block a user but the username they attempt to hack the site with. ie ‘admin’ or ‘user’ as we would never have these on our sites any attempt to use it is a malicious attempt to probe an unsecured system.

Over time we have managed to build a list of the most common attempts which hackers try so the ability to import and export this list is also very useful.

Whilst blocking by IP is good it is also easy to sidestep so this extra facility to block by username reduces the need to micromanage or investigate any intrusion attempts. A flat-out block on a user tends to make the 'have a go hero' get bored very easily and wander off that much more quickly.

  • Tony G

    This reminds me of notes and requests I put in a long time ago - more items that will be difficult to find for lack of tracking numbers and a poor forum search mechanism:

    1) There should be a common pool of bad user names that we can all add to our sites. This list would get added to site-specific lists. Then individual site managers wouldn't need to maintain the same data in all of their sites from scratch. Treat the data like code and update the database with each new release of Defender. Allow admins to whitelist specific user names that they authorize on their sites.

    2) Allow an upload of the list from the Defender admin page to the Hub. This can then be used by an admin to auto-populate registered sites, and can be used as source material for all Hub sites. A single union of all such lists can be returned to optionally reload back into each site.

    3) Add the exact same kind of filtering for registrations. Visitors should not be allowed to register, request a forgotten password, or login for any user name in the exact same list.

    4) As with user names, do the same for email addresses. See the Ban Hammer plugin which prevents specific email addresses from being used as well. It would be fairly easy to incorporate that functionality into Defender along with the user name restrictions. I've made customizations to Ban Hammer (via a separate plugin that processes hooks) to use regex to forbid specific patterns of email addresses. The patterns are stored just like hard-coded text in name lists, and a loop on restricted patterns is applied to user entries in addition to searches for hard-coded names in a username list. Yes, it adds overhead to the process but we aren't talking about high activity pages.

    Combining those ... Usernames and Email addresses are just two field with the exact same considerations. Both field types should have a hardcoded list that's curated from all participating sites, a hardcoded list that's site/admin-specific, a curated list of regexps, and a site-specific list of regexps.

    Finally, to extend that, add the same functionality for IP addresses for the same purposes. Why should I have to deal with a hacker from IP 1.1.1.1 or the 1.1.1.* block when a hundred other sites have already flagged that IP as malicious?

    "Sounds like a lot of data" ... yup. And until the concept of freeform user IDs is changed we need to accommodate specifically forbidden user names with brute force methods like this.
    "Sounds like an opportunity for malicious site blocking, and issues seen with DNSBL and RBL" ... yup, aggregated lists need to be curated and vetted. As an added bonus, site-specific white-lists can be uploaded back to the Hub, and if more than a few admins have whitelisted the same ID in the common name list, then the entry (and the person who submitted it) should be reviewed. This can be automated.

    C'mon folks, let's use these computers and this interweb thingy as they were designed - to save us some manual effort.

    Thanks.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.