Hello and congratulations on this new forum.
I am not sure if bug reports belong in this category. Please move it around as needed.
I am encountering a bug relating to Block User Enumeration.
WordPress 5.3.2 with Gutenberg
WP Fail2ban 18.104.22.168
Windows & Mac, Chrome & Firefox
When a non-admin creates a new post, which starts up Gutenberg, one of the requests triggers
Blocked user enumeration attempt. I could reproduce this on different servers and in different browsers, so I am quite sure it has to do with the way
_log_bail_user_enum() works. Here are the logs.
A single request shows a non-
200 status code, namely
IP.IP.IP.IP - - [09/Apr/2020:16:59:25 +0200] "GET /wp-json/wp/v2/users/?who=authors&per_page=100&lang=fr&_locale=user HTTP/2.0" 403 98 "https://example.com/wp/wp-admin/post-new.php?post_type=page" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:74.0) Gecko/20100101 Firefox/74.0" "-"
Apr 9 16:59:08 example wordpress(example.com): Accepted password for editor from IP.IP.IP.IP Apr 9 16:59:25 example wordpress(example.com): Blocked user enumeration attempt from IP.IP.IP.IP
2020-04-09 16:59:26,177 fail2ban.filter : INFO [wordpress-hard] Found IP.IP.IP.IP - 2020-04-09 16:59:25 2020-04-09 16:59:26,282 fail2ban.actions : NOTICE [wordpress-hard] Ban IP.IP.IP.IP
As I understand it, the errors comes from
/wp-json/wp/v2/users/?who=authors triggering WP Fail2ban even when it comes from a logged-in non-admin.
Indeed, it does not happen for admins. As such, as a temporary fix, I changed the user (which I trust entirely) from
Editor role to
Administrator role and they could publish again.
But, switching other people to
Administrator is not an option.