Serious Issues with Protection

Hi @koolgirl Please don’t post email addresses in these forums.

I am wondering, how it is that this was missed by the plugin?

I don’t use this security plugin (or any security plugin for that matter) but a DDoS will eat up resources lower on the stack, meaning the web server and PHP will die quickly before the plugin can get engaged.

I most certainly cannot in good faith continue to recommend something to my clients if it is not what I thought it was in terms of quality and protection, nor can I use a product incapable of protecting my network

A plugin cannot do that and any plugin will melt down in the face of a DDoS attack. To mitigate something like that you will have to spread the load to something that can handle that before it reaches your WordPress installation.

There are services for providing that CDN front that can separate the “good” requests from the DDoS attack and only let the good in. Hopefully the Wordfence support folks that reply will have some suggestions. ??

Hi,

My customer service team alerted me to this post, I thought I’d respond personally. I’m the founder/CEO.

Can you please give us technical details of the DDoS? Post them here and you’re welcome to obfuscate the last octet of any IP’s. I”d like to know how many IP’s were involved and what exactly they were doing to your site.

Your description of how we didn’t handle the attack is fairly damning, but you don’t give us or the other customers that read this any technical detail of what was actually going on.

There are absolutely certain kinds of DDoS that we can’t protect you against. But that applies to any firewall product. For example, if your local router is attacked, you don’t have any visibility on the attack even at the kernel IP-stack level so there’s really nothing a firewall product can do about it and you’d need to work with your upstream providers to mitigate the attack.

You mentioned your provider saw the attack in logs. Please tell me which logs. e.g. The apache log? Kernel logs? Or router logs?

Did they have to work with an upstream provider to stop the attack? Or if they blocked the attack, where specifically did they block it. You won’t be giving away any sensitive details by sharing that info with us here.

This sounds serious and we’d very much like to work with you to help prevent this from reoccurring in future.

Regards,

Mark Maunder
Wordfence Founder & CEO.
PS: One of our customer service folks: Tim Cantrell, Brian, Matt R or Collette will respond to you here and they’ll keep me in the loop and I’ll weigh in as needed. Please share as much data as you can so we can work with you on this.

In addition, can I see what your firewall rules are set for, just so we can rule out the obvious?

tim

Everyone reading this: I apologize for the long-winded post(s); seeing as how the founder personally responded here and seemed as though my post came off as some what offensive, as a developer my integrity really mandates that I clarify that this was not intentional. At all. I also wanted to explain that I clearly feel the plugin is both awesome and one of the very best available, both the free and paid versions.

Tim,

I actually made no damning statements about your plugin at all, and went out of may to explain how much I appreciated the plugin, and I also explained that I could possibly have been wrong about how this type of attack occurs, etc.

I do not understand you seemingly taking offense, when I went out of my way to explain that I appreciate the plugin, and very well could be mis-understanding how these types of attacks work (which I probably am from what Jan said – who did provide some helpful info about why that may be – thank you Jan). The only thing I said about the plugin is that it failed to alert me to the attack. That is a fact. Whether it is because of the type of attack and it probably couldn’t of been caught at all and therefore completely not related to the plugin’s performance, or because the plugin missed something, I clearly said I did not know. That was the main point of the post.

I have been using this plugin for a long time, and have brought you many, many users, and because of this I took the time to write this post in such a way as to explain how much I appreciated your plugin, why in my case, as having recommended it so extensively, a failing was a major source of concern and be respectful.

I also clearly stated that if it turned out this was the plugin’s failing, then, I would need another option – but that it was possible it wasn’t and I didn’t want to do that as I really like the plugin. I made no statements about the plugin at all, actually – I merely asked questions, and explained, very respectfully, why it would be a big problem in such and such circumstance, because of my business IF there had been a failing. I am actually quite, I guess the word would be upset (not angry or offended mind you – more bothered), that you seem to have thought the complete opposite. Users constantly berate developers in these forums making all sorts of wild assumptions and nasty statements and nasty reviews (which I did not do btw), and as a developer myself, I loathe that type of behavior; so for you to basically be lumping me with it (so to speak, not quite, I am stretching a bit on that one) is quite disappointing to me because that was not my intention. I took a lot of time to write that post so it did not come off that way, and any implications I made about the plugin’s performance, I made as to how this would be unacceptable if it had been a mishap on behalf of the plugin, to explain to your team, that it was a big part of my business flow and therefore a very, very big deal for me, and as every single client of mine is using either your free or paid plugin, it most certainly is.

Jan – I made that email as a throw away anonymous email, specifically for this purpose to be deactivated once I got a hold of the developer. Is this not allowed (not being sarcastic I really thought throw-aways would be accepted)?

If you had responded as Jan had, explaining that the type of attack in question probably couldn’t have even triggered the plugin, I would have responded with a comment that it was then my mis-understanding, stated how much the plugin had helped, etc., and then probably left a nice review and deleted this thread (I think I could do that – I am not a big forum user here by any means). My point being not that you should’ve responded as he did, but just that I am more than happy to sing the plugin’s praises loudly and apologize if it was my misunderstanding, which it seems likely to be, by the way.

In conclusion, I am pretty close to being convinced it in fact wasn’t a fail of the plugin but rather my misunderstanding how the attack worked, that caused it to be missed. If you would like the details (I would think you’d understand why providing that in a public forum, given my occupation, would not be something I would do – and again – should we have spoken the details in private and discovered me to be in error I certainly would have publicly stated that loud and clear asap) of the attack, I am happy to provide them in a non-public conversation. As I said however, after taking what Jan explained and searching a bit deeper, it does appear to be in fact my error not the plugin’s error. I am happy to concede that at this point, and should you like me to delete this thread due to that (or make a statement and mark resolved if that is not possible), I am happy to do that as well.

Thank you, and sorry for the confusion,

Nicole

Jan – I made that email as a throw away anonymous email, specifically for this purpose to be deactivated once I got a hold of the developer. Is this not allowed (not being sarcastic I really thought throw-aways would be accepted)?

Not really, otherwise the forums could be used to harvest emails. Plugin authors usually provide a way of contacting them if it’s necessary.

UPDATE:

I was obviously addressing the above reply to Mark Maunder and his post, which I addressed to Tim by mistake – though it does seem from Mark’s post that one of the staff such as Tim would carry on the topic anyhow. Regardless, I just wanted to clear that up – I was responding to Mark, of course, not Tim. Couldn’t edit the post, so leaving this update here.

Andrew,

I see. Thank you for the answer. I will not do that again, sorry for that.

Coincidentally, Andrew, or Jan (or one of the forum team members), it would appear that I in fact was mistaken in blaming the plugin here, although if the support team would like to continue to the details that is perfectly fine of course; but I would like to be able to make that very clear here. Can I delete threads, such as this one? Or is the proper procedure to just state the situation and that it was a mis-understanding and mark it resolved?

Note: I do again, just want to apologize for coming off as jumping to conclusions and/or offensive, if I did in any way at all, as I really do appreciate the plugin and really did not intend to do so.

I don’t think there’s any reason to delete this topic. Your posts were clear and much better than “Plugin. Does not work. Fix it.” ??

Yes. What Jan said. As a developer, @koogirl, I am sure you’ve seen those before. More details is usually better than less details. Again, if you want to provide details of the attack, feel free to email them to samples [at] wordfence.com. Mention this forum post url so we can get the background. We try to be very responsive and help our paid and free customers and if it is something we can help detect rest assured we will try to find a way to include it in wordfence.

tim