Automatically Blocked IPs Not Appearing In Blocking List

Hi @radiantfreedom, thanks for your message and sorry to see your clients are having issues with being blocked from their sites.

There are two settings for the lockout times, depending on whether a firewall rule blocked them or they were blocked (as you describe) by failing to login with the correct credentials. Can I just confirm that Wordfence > All Options > Rate Limiting > How long is an IP address blocked when it breaks a rule and Wordfence > All Options > Brute Force > Amount of time a user is locked out are both set to the 24h period you specify, or does one have a different value?

This may not be a factor, but are they also getting their username incorrect during any of these attempts? If so, is “Immediately lock out invalid usernames” under the Brute Force section of your settings checked too?

These might play a role in how blocks are handled so would be useful to know in addition to the information you’ve already supplied.

Many thanks,
Peter.

As far as I can tell (dealing with the client’s VA from India so maybe a bit of a language barrier on tech issues like this) is she tried to log in with an incorrect password too many times and eventually hit the failed login attempt limit and got the error page telling her she was being blocked.

The report I got from WordPress via email notification was that she was blocked for too many failed login attempts, verified by the WordFence traffic logs. However, those well within the 24 hour lockout period, her IP address was NOT listed as being banned, but as far as I can tell from the follow up email exchanges with the VA, she’s still getting the error page telling her she’s blocked even though she’s not on the blocked list. I’ll email her again to check if she’s been removed as we’re now well past the 24 hour limit and get back to you.

I don’t have time right now to check the settings for violating other firewall rules, but my standard settings for those are to have the bans last for about 1-6 hours, depending on the client’s specific situation. If a client’s getting an unusually heavy load of suspicius traffic, I may set the time they’re blocked for to longer, and this client did have such issues about a year ago when the Russia Ukraine war was just starting out and several of my clients were getting hit with a flood of hacking attempts coming out of Ukraine.

@wfpeter – I have an update. 7 days ago, I manually and permanently blocked a malicious IP, and now I just checked and that PERMANENTLY blocked IP is no longer blocked, and all other IPs I’d PERMANENTLY blocked in the past are also all gone, and NO LONGER listed as blocked.

There appears to be a MAJOR, and potentially FATAL bug in the IP blocking system right now. WordFence either fails to block IPs completely, or fails to list them on the Blocking page, making it IMPOSSIBLE to interact with any blocked IPs in any way, either to escalate a temp block to permanent, or lift a blocked IP that was blocked erroneously.

In your reply above, I think you were missing the main point, which is the issue with the IP Blocking, not that a client lost access to their site due to forgetting a password, which is an issue easily resolved, IF YOUR blocking feature were working correctly, as I could just manually remove the IP Blocking, and instruct them on how to do a password recovery or manually send them a recovery email within WordPress. But when they can’t even access their URL due to an IP Block not working correctly, OR known malicious actors are NOT being blocked when they should be, we have a HUGE problem.

Basically WordFence may not even be fundamentally working as a firewall if there is no consequences for malicious actors violating firewall rules. They’re free to just keep on brute forcing away until they can brute force a solution to break your firewall. you NEED to pay attention to the big picture and roll out an emergency hotfix for this to EVERYONE, and you need to do it NOW.