I’m currently testing wp-fail2ban before switching to the bronze version. I found out, that more and more brute force scripts are using empty usernames (on wp-login as well as on xmlrpc).
I use iThemesSecurityPro for general settings, but blocking should really be done on Fail2Ban level.
Can you confirm that empty usernames are not triggering any logging, or is it something which can be configured/changed?
Adding a ‘’ to the WP_FAIL2BAN_BLOCKED_USERS array did not work.
id => 11206 module => lockout type => action code => username-lockout:: timestamp => 2019-08-28 09:20:20 init_timestamp => 2019-08-28 09:20:19 remote_ip => 142.44.162.xxx user_id => [empty string] url => https://www.example.com/wp-login.php memory_current => 13542688 memory_peak => 13568384 data => Array module => brute_force host => [boolean] false user_id => [boolean] false username => [empty string] module_details => Array type => brute_force reason => too many bad login attempts host => [integer] 5 user => [integer] 10 period => [integer] 5 whitelisted => [boolean] false blacklisted => [boolean] false lockout_type => brute_force lockout_start => 2019-08-28 11:20:19 lockout_start_gmt => 2019-08-28 09:20:19 lockout_expire => 2019-08-28 11:35:19 lockout_expire_gmt => 2019-08-28 09:35:19 lockout_username => [empty string]