locking out general public access

Hi @mickpayton

I hope you are doing well today.

Are those end users of your site are getting lockouts because of 404 errors? Do you have any more info on which pages, like simple pages/posts or login page?

Could you also navigate to Defender -> Firewall -> Logs and see do you see anything suspicious?

Kind Regards,
Kris

Hi Kris, no it’s not 404 errors, they are random public just wanting to view my website content, no log-ins or any other access used, just basic viewing my site’s content. There doesn’t seem to be any common pages that cause the problem and nothing suspicious in the Logs either.

Mick

Hi @mickpayton,

Could you please confirm whether you are using the latest version of Defender ie v 3.7.0?

There doesn’t seem to be any common pages that cause the problem and nothing suspicious in the Logs either.

Are you able to replicate these lockouts on your side? Another possibility might be if the users are served a cached lockout page if there aren’t any logs.

Could we know whether you have any cache plugins enabled? or have cache enabled on the hosting side? Does it make any difference with these issues if the cache is cleared?

Do you think it’s possible to share the page URL of the website so that we could give a closer look?

Looking forward to your response.

Kind Regards,

Nithin

Hi Nithin, I can’t replicate these lockouts. I understand (I think) about cached pages, there are times when I’ve used my vpn and I’ve been locked out myself. Using my static ip address which I’ve entered in the allowed ip addresses I don’t get a problem. I’ve cleared any cached pages now to see if that helps. Here’s the website https://mickpaytonstudios.co.uk/

Thanks!

yes it’s the latest version, 3.7.0.

Hi @mickpayton

Thank you for update,

Just to make sure we are on the same page, Defender > Firewall log doesn’t return anything?

You should be able to see the banned IPs there and the reason, then from that we could have more insights into what is happening.

Can you also type “My IP” on google, and see if Defender is getting the correct IP?

https://monosnap.com/file/TlVdIypPMymD0F9iemR9s6fxe4980C

We implemented different detection methods https://wpmudev.com/docs/wpmu-dev-plugins/defender/#detect-ip-addresses You can toggle the option to a different method and see if it prevents the issue.

Best Regards
Patrick Freitas

Hi,

Firewall log does not return anything referring to the general public lockouts. I don’t have a problem myself as long as I use my static ip address that’s registered with Defender, if I use my VPN it will on occasions lock me out.

Hi @mickpayton,

I see you mentioned that you noticed the issue when using a VPN, can you please confirm if this event was logged by Defender?

It will be hard to debug the issue without an exact replication step. Is it possible for you to check if this happens with any specific browser, operating system or from a specific location?

Kind Regards,
Nebu John

Hi,

1/ When I was locked out using a VPN, this event was logged by defender, I entered the locked out ip address in the allowed ip’s but because the VPN would change ip’s randomly it wasn’t a solution. So when I access my website to make alterations I have to use my own fixed ip which never has a problem.

2/ The blocked access of random general public (just wishing to view my site) is never logged and is not always using VPN. There is also no specific browser involved. I understand that this is very difficult to diagnose.

Mick

Hi @mickpayton

Thanks for response and for understading!

1/ When I was locked out using a VPN, this event was logged by defender, I entered the locked out ip address in the allowed ip’s but because the VPN would change ip’s randomly it wasn’t a solution. So when I access my website to make alterations I have to use my own fixed ip which never has a problem.

My colleague earlier asked for checking IP. If you can replicate above case, please do that, in a following way right after the issue happens:

– before disabling VPN, right away check what IP is detected by the whatismyip.com service (or just via Google search engine)
– then once you disable VPN and login to the site compare that IP with the one logged for that lockout event in Defender log

This is important because it will show if IP is correctly detected. If those IPs – the one really used when you’re locked out and the one logged for that lockout even – are different, it would mean that the IP detection method (as my colleague mentioned) must be changed in Defender settings.

If it’s the same IP then we are dealing with a different issue, which leads me to the second point of your response:

2/ The blocked access of random general public (just wishing to view my site) is never logged and is not always using VPN. There is also no specific browser involved

If the logged IP is same as your actual IP but for those other logouts there’s no trace in logs, then in majority of cases it means that there still is some kind of cache involved that “caught up” the lockout page served by Defender. In most cases it wouldn’t be cache on site but either on some kind of CDN used for the site (“in front” of it) or server level cache. The “flow” in such cases would be like: nobody is blocked -> some visitor triggers the lockout -> Defender serves the lockout message -> this got cached -> next visitors are not even “checked” but instead served cached version of requested page (which due to previous lockout happens to be lockout page) right away.

In general, if such “no lockout lockout” happens “out of the blue” it means that either Defender wasn’t able to detect correct IP (the first case above) or it didn’t even try to check it because request was “intercepted” and handled before it even “reached” Defender (the second case above).

Kind regards,
Adam

Hi, thanks for your comprehensive response, some of which is above my knowledge limit. I’ve had no reported lockouts for a couple of days since clearing the cache. I did note the ip address when I was being locked out and it was the correct address as I was able to allow it in defender and that solved it until my VPN changed addresses.

I’llsee how it goes with the cache cleared for a while.

Thanks, Mick

HI @mickpayton

Thank you for response!

Let’s see how it goes then, keep us updated please.

Kind regards,
Adam

Hi @mickpayton,

Since we haven’t heard from you for a while. I’ll mark this thread as resolved for now. Please feel free to re-open the thread if you need further assistance.

Best Regards
Nithin