wp_login_failed firing on wp-login.php page load

[Blindmikey]

For some reason just hitting the wp-login.php page is triggering the wp_login_failed action. So visiting the page and then having 1 failed login attempt can trigger a jail.

Oct 13 12:24:56 usr wp(wpsite.com)[12345]: Authentication attempt for unknown user  from 1.2.3.4
Oct 13 12:24:56 usr wp(wpsite.com)[12345]: Authentication attempt for unknown user test@test.com from 1.2.3.4
Oct 13 12:24:56 usr wp(wpsite.com)[12345]:  INFO [wordpress-hard] Found 1.2.3.4
Oct 13 12:24:56 usr wp(wpsite.com)[12345]:  NOTICE [wordpress-hard] Ban 1.2.3.4

In cases where wp_login_failed is triggered, but no username exists ( caused when triggered on page load, no form data ) should we let it pass?

public function wp_login_failed( $username ) {
    ...
    if ( empty( $username ) )
        return;
    ...
}

Thoughts?

[thebrandonallen]

Can you give me some more information on your setup? Plugins, theme, WP version, etc.

Specifically, are you using any other security/user login focused plugins, or a login page theming plugins? I can't reproduce this behavior on a vanilla WP trunk install. WP won't call wp_login_failed on empty usernames or passwords.

Two theories:

1. A plugin is altering the error messages on login. Still doesn't explain how a POST request is submitted, which is also required for wp_login_failed to be called.
2. You're possibly refreshing the page, rather than a hard refresh or a regular page load, and the form is being resubmitted.

[Blindmikey]

This was the fault of another plugin causing wp_login_failed to fire twice.