Hi good day,
Can someone kindly explain how to test “Block User Enumeration” via the “forgot password” page on this form /my-account/lost-password/
I have enabled “Block User Enumeration” via these instructions:
https://docs.wp-fail2ban.com/en/latest/defines/constants/WP_FAIL2BAN_BLOCK_USER_ENUMERATION.html#wp-fail2ban-block-user-enumeration
The option is checked in the backend:
When I go to the “forgot password” page and enter random emails in the form I don’t see any of my failed attempts in the logs?
Is this normal or am I looking in the wrong location? The WordPress dashboard doesn’t log these? I have also looked in the log file located here:
/var/logs/fail2ban.log
Thanks in advance for any help you can provide.
http://forums.invis.net
[This post was written over several days. Apologies if it’s a little disjointed.]
TL;DR it’s technically not user enumeration so it’s not logged.
User enumeration started with blocking /?author=1, /?author=2, etc. Then it expanded to cover <oembed>, some other things I’ll cover when I write this up as a proper FAQ, and most recently, /wp-json/wp/v2/users. Basically, easy ways to enumerate users, rather than guess them.
I looked at catching failed password reset requests when I added logging for successful ones; I don’t remember the exact details now, but it wasn’t really possible. However, having looked at it again it can be done so I’ll add it to the next release I I’ve implemented it - it “just” needs more testing.
And, after much consideration, I’ve decided to add it as a core feature, i.e. always enabled, with a new rule in the soft filter.
2 Likes
Hi thanks for the quick response.
How many failed attempts of the password reset does it take before the IP is banned?
Interesting I don’t know much about User enumeration. Glad you are here to help!
Thank you for all your hard work 
That depends on your fail2ban configuration. It’ll be treated the same way as a failed login which, essentially, is what it is.
