Hi @lukestorm, thanks for getting in touch.
The reason Wordfence does not actively block VPN or Tor users out-of-the-box is largely as they (especially VPNs) are almost indistinguishable from regular internet traffic. Many privacy conscious people use these to protect their online presence, so blocking them isn’t something we generally consider good practice. For this reason, using the WAF to block based on the type of request tends to be more effective than blocking just because the source was a VPN or Tor exit node.
Having said this, like the thread from 8 months ago stated, we do have a case open for potentially adding Tor exit node blocking as a feature. There have been a number of tests around discovery, recording and maintaining an internal list of Tor exit nodes towards this that Wordfence could look up, but I am still unable to comment on a possible delivery timescale from the information available.
Thanks,
Peter.