WP usernames not blocked

I have a fairly simple WP site with WPf2b set up since I launched.

Today I noticed the dashboard showing the latest from the logs:

Screenshot from 2023-02-18 20-27-03

Those are some of my users’ usernames.

Yet I have in the WPf2b Block settings: “Block User Enumeration Stop attackers listing existing usernames.”

Am I doing something stupid elsewhere in WP that allows these user names to be scanned?

The first thing to check is what you’ve got in wp-config.php; you can either paste the bottom part of it here - don’t include the salts or db info! - or DM me with it. It’d also be useful to know what the site is - again, DM if you don’t want that to be public.

Looks a bit empty to me. I thought from the wording of the WPf2b WP settings “block” tab - it says “these settings reflect those values” - that there would be more. Or is that just the defaults since there’s nothing in the wp-config?

//define( 'DISALLOW_FILE_EDIT', true );
define( 'DISALLOW_FILE_EDIT', true );
/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
	define( 'ABSPATH', dirname( __FILE__ ) . '/' );

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';