[Defender Pro] Improvements to Banned Usernames


We’ve seen good suggestions in this forum for improving the simple textbox now provided for Banned Usernames. I’m hoping we can put a number of these suggestions in one place to discuss and prioritize in the user base here so that Dev can implement some changes.

As usual I see this as a feature that can be hooked. Dev doesn’t need to implement every possible mechanism. And we don’t need to wait for years while Dev decides which mechanisms to implement. Add a hook to get a list of usernames. The list in the UI is just one option. Add a hook to validate usernames. (I believe these are already in place?)

There are already FOSS plugins that ban based on usernames and/or new user email addresses. Ban Hammer by Mika Epstein is one of these. I enhanced it to do more – need to dig up that code…

Here are examples of improvements that I’d like to see in Defender Firewall Login Protection and Banned Usernames:

1) All entries should be tested in a case-INsensitive manner. It makes no sense for to have to try to guess at all possible patterns of Admin, ADMIN, admin, or aDMin.
2) For those who don’t like that, add a check-option to default to case-Sensitive checks.
3) Allow regex patterns rather than just literal text. Then we can eliminate patterns like ^admin and master$ rather than having to be explicit about administrator, postmaster, webmaster, etc…
4) Allow filtering without alphanumerics. That includes all punctuation, spaces, quotes, sign, etc.. I have the same text in all sites, with lots of duplicates to accommodate patterns. For example, I ban “tonyg”, “tony-g”, “tony.g”, etc. Almost every name like this has about 10 variants. That’s nuts. A simple variant like “tony—g” will easily get by any of these, or “tony%g”… of course only characters allowed by WP Core are allowed. Strip a new username to [a-zA-Z0-9], change it to lower case, and then compare it to text in the list.
5) Auto-create names that are used in failed registration so that we can find patterns. This was suggested by D. – who by the way has the login name here “siteadmin1” which I would never allow on my sites.
6) Allow for multiple filters to be applied to a single item in the ban list. For example with that “siteadmin1” name, if I use “admin” then that should be processed as “.*admin.*”. I shouldn’t have to wrap every line in regex syntax. A username entry should be set to lowercase for testing source and target (or use ‘i’ operator on regex). And the source text should eliminate non-alphanumeric characters so that someone can’t easily bypass the test with ad-min, or even L33t: adm1n, 4d/\/\1n. (That was one of the enhancements I made to Ban Hammer.)

Again, Dev doesn’t need to implement all of this functionality. We can do it if the hooks are in place. I would prefer to use the Defender UI to help manage whatever functionality is used. If we can’t do that then we might as well just be ignoring, augmenting, or replacing Defender functionality with other plugins. That’s not the business solution that we should be compelled to use.

In summary : I’m hoping Dev will post a list of all suggestions for this one feature, and the status of each in terms of consideration, rejection, and implementation.