How to stop bots and robots with a list of prohibited logins
WP Cerber uses the list of prohibited WordPress usernames to reinforce protection by filtering out bots and hackers
As you already know, there is a small but powerful feature called a list of prohibited logins/usernames. This is a comma-separated list of usernames you do not want to be used on your website in any circumstances. That’s it? Nope, there is no “just in case” features in the WP Cerber Security plugin. But how does Cerber use logins from the list to reinforce protection? First of all, the plugin does the following.
- An attempt to log in using a prohibited username or a username that matches REGEX pattern is denied and the IP address gets blocked
- An attempt to register using a prohibited username or a username that matches REGEX pattern is not permitted
Most importantly, using the list of prohibited logins along with the Custom login URL helps the plugin being smart and detects bots/robots/hackers more effectively.
What if you put a username of an existing WordPress user on the list? It has the same effect as if you block that user but in a bit more rough way.
If your list is still empty, you definitely have to put on that list the following (commonly used by bots and hackers) usernames: admin, administrator, manager, editor, user, demo, test.
Since v. 5.8.6 you can use regular expressions (REGEX) in the list of prohibited usernames. Specify as many patterns as you need. To specify a REGEX pattern wrap a pattern in two forward slashes like /admin.*/. All comparisons are case-insensitive.
Read more how to create another trap with a Custom login URL.
Have any questions?
If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered on the community forum.
Spotted a bug or glitch?
We’d love to fix it! Share your bug discoveries with us here: Bug Report.
WordPress 5.4.1. A security update fixes seven XSS vulnerabilities
WP Cerber Security 8.6.5
I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.
Is it possible to use wildcards (or regular expressions!) in the list of prohibited names. Such as:
admin*
or:
*manager*
Hi, Tom! It will be implemented soon.
I’d love to be able to BLACKLIST not just BLOCK IPs that try to use these usernames since that is the bulk of my malicious activity.
You talk about this list but I don’t know where it is located.
It’s located under the “User Policies” admin menu, the “Global” tab. We will add a screenshot to the article soon.