Blocked Addresses showing up as 127.0.0.1

Hi @supahduck

Please send your Wordfence diagnostics report. Go to the top of the “Diagnostics” tab on the Wordfence “Tools” page. There will be a “SEND REPORT BY EMAIL” button to send the diagnostics report. Enter wftest [at] wordfence [dot] com as the email and supahduck as the forum username please.

Diagnostic e-mail has been sent, Phil. Thanks for your prompt response!

It should be noted that IPv4 addresses are being properly identified and geo-located, although that doesn’t appear to be the majority of the attempts.

In all the years I’ve been using WF and WF Central, I haven’t seen anything like this. Other than regular WP and plugin updates, nothing has changed on my sites in terms of configuration, and I don’t run any plugins from third-party repositories.

Any guidance / advice you can offer is appreciated!

Any updates on this unusual situation?

I’m also seeing this on some of my websites and am also curious about any updates on this.

@xiff , good to know that I’m not the only one! I haven’t heared anything back from the Wordfence team as of yet, but hoping they will respond soon, as the attacks continue across most of my sites.

@supahduck, been seeing it on several of mine as well. And we aren’t the only ones, I’ve seen mention by others while googling on the topic. If I find anything out, I’ll be sure to let you know.

@wfphil Any updates? Seems like this is a widespread problem…..

Do you require any additional information on our system configurations, perhaps?

@wfphil , the 127.0.0.1 entries in my sites’ blocklists are continuing to pile up, and exceed all other entries by several orders of magnitude (100:1 to 200:1), and I am concerned that my ability to properly manage attack vectors and actors is being compromised by the lack of information. Having most of my attacks registered as coming from ‘localhost’ pretty much nullifies the entire value of the Wordfence blocking capability, and I would have thought that the loss of a core capability would garner more attention than this.

Seeing as I’m not the only one having this ongoing issue, is it at all possible to get an update on what’s going on, and if there is a solution forthcoming?

Hi, I noticed similar thing and was puzzled.
I don’t understand how you can test a website and get a response from it if your adress is 127.0.0.1.

I looked at my logs and I think it’s from scan tool called Tenable. I found in the User Agent String :
– “Nessus”
– “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)”
The latter is the default string in Tenable config.

Other point is throught all the 127.0.0.1 I found an IP adress owned by Tenable with similar test.

I looked at the 700 lines and everything seems fine to me, only 301, 403, and the 200 were redirected to my home page.

Starting to get really concerned at the lack of response.

Received this e-mail today:

As you can see, the number of attacks is escalating. Here is the WF Dashboard widget for that same website:

I’ve got four other sites that are showing the same types of issues, out of a total of 9 on that webserver. So it’s not consistent across all sites on that IP.

Can ***someone*** from WF respond, please? There are lots of us that are affected by this, and it would be nice to be able to move this forward.

Hi @supahduck

Apolgies for the delay, this one got missed it appears due to our reporting system.

Because IP 127.0.0.1 is a special reserved IP address then it is not routable over the public internet so your hosting provider might be using a proxy server using that IP address that is also not always correctly sending incoming client IP addresses to your origin server where WordPress is installed. Please ask them about this.

@xiff and @lemisterjeff as per froum rules please open your own topics:

“Unless users have the exact same version of WordPress on the same physical server hosted by the same hosts with the same plugins, theme, and configurations, then the odds are the solution for one user will not be the same for another. For this reason, we recommend people start their own topics.”

@wfphil, if I understand your response correctly, then I can confirm that my provider does NOT run any sort of proxy. The server I’m on is configured with a classic IPv4 address, and has been running just find until fairly recently (i.e. the last month and a half or so). I’m talking multiple years with the sites, all running Wordfence, and all running smoothy (and reporting blocked IP’s properly) until this 127.0.0.1 issue.

Something has changed in the WF code, and it’s making the WF plugin pretty much useless for one of its core functionalities.

I remain ready to provide your team with whatever information / logs / access you need to diagnose the issue further, as it seems that I’m not the only one. Multiple users across multiple distinct and different setups, all seeing the same issue? It definitely points to a WF code issue.

What’s the next step?

For what it’s worth, I ran a traceroute from my home office (using a Starlink connection), and it pinged normally through to the Montreal-based colocation site where my provider has some of their server infrastructure. All IPv4 pings, all resolving to FQDN’s, and certainly nothing that would prevent the Wordfence instances from properly resolving client IP’s.

Like I said, everything was running fine for the last several years, with no major code changes on multiple sites other than regular plugin updates, until the last month and a half, which is when I posted here in the forums.

It should also be mentioned that not all of my sites on that server are experiencing this issue, so that further indicates that it’s a coding issue, rather than a physical network / server configuration issue.

Would love to figure this out, so please let me know how I can help. Thanks!

Hi @supahduck

Please send server raw access logs for the site for a time when you see hits for IP 127.0.0.1

Send them to wftest [at] wordfence [dot] com and place your forum username in the subject field.