503 Block from customer paying bill

My client’s site went down again today with the same 503 error – Blocked by WordFence Security Network.

I would very much like to find out where I should start to investigate this issue.

Thank you.

• This reply was modified 5 years, 11 months ago by abbydazzle.

Hi @abbydazzle,

Can you check under Wordfence -> Tools -> Live Traffic, to see exactly which IP is being blocked and for what reason?

You can also check Wordfence -> Firewall -> Active Blocks to see if there were any blocks set in place that is affecting service.

Dave

Hi wfdave,

More detailed info may help. Know that I am the only admin and have the only user ID.

On 12/13 around 3pm I was informed the site went down as a customer was paying their bill. I saw this when I visited the website – https://www.dropbox.com/s/kiay8c32ztqdu09/website-screenshot.PNG?dl=0

I logged in to the admin with no issues and the site came back up. Here is traffic from around that time. (my login is from Hixson) https://www.dropbox.com/s/1cmhp0acqdwsxkb/121318-firstlockout.png?dl=0
I don’t see anyone who accessed pay-my-bill page. There was a Ukraine IP block the day before.

Yesterday I wasn’t given any details other than “site is down”. Same issue as before 503 – Blocked by Wordfence Network. Here’s traffic from around the time of my notification. I have since blocked the range of Ukraine IP addresses. (my login is from Fort Payne)

https://www.dropbox.com/s/f13d5ytkqvpuu7j/121818-secondlockout.png?dl=0
https://www.dropbox.com/s/p12770s3y9fymiv/121818-secondlockout-2.png?dl=0

Here’s a list of current IPs blocked (I assume that’s Active Blocks you mentioned). Most of the blocks are from the weekly emails I receive that show the IPs that were blocked and I go in and manually block them. You can see the range I blocked yesterday and several individual IPs.
https://www.dropbox.com/s/kdkk185db5ge8z4/BlockedIPs.png?dl=0

It’s not a case of individual users being blocked from the site, but that the site is inaccessible and I have no idea what’s causing it. And unfortunately I won’t get much helpful info from my client.

Could it be a plugin conflict? I don’t know where to start to replicate this issue or even if I can replicate it. I haven’t made any changes to the site except a few weeks ago. I changed caching timing from 12 hours to 10 hours and added form page URLs to no cache. (Swift Performance) I deactivated it yesterday in case the site went down again I could rule out that plugin.

But, most importantly, how can I know that Wordfence has rendered a site inaccessible? I need emails, text, smoke signals – something so I can take care of it before my client sees it.

Thank you!
Abby

• This reply was modified 5 years, 11 months ago by abbydazzle.

Ah! I forgot to notice that users were getting blocked by the Wordfence security network and not by your site.

Can you try disabling this setting and seeing if this fixes your issue?

1. Go to Wordfence -> All Options
2. Disable Participate in the real-time...
3. Save Changes

Example: https://i.imgur.com/bOkWEy5.png

Dave

Thank you for your reply.

I read the help doc about participating in the real-time network but I didn’t quite understand.

I am disabling something that is only reporting information back to WordFence? I’m not turning off any blocking features?

I suppose we will know it works if the site doesn’t come down again.

Is there any way to be notified if the site becomes inaccessible in that sort of manner?

Thank you!

Hi again!

By disabling participating in the real-time network you are disabling the IP blocks on the global IP blacklist. (It should solve the issue of random users getting blocked)

As for your second question, there is no current way to be notified when users are blocked as a result of being on the IP blacklist. So I’ll put in a feature request for that right away!

Dave

Thank you VERY MUCH for your help! You can mark this one as resolved.

Sounds good! Happy new year!