JIL Worldwide Service today.Makakuha ng libreng 700pho sa bawat deposito

Resolved sierrasixmedia
(@jadebartholomew)

2 years, 10 months ago
I blocked an IP that has been attempting to login to the site for over 2 hours – god knows why wordfence hadn’t already blocked the IP after over 30 login attempts??? Considering my settings were set to “block after 10 failed login attempts”

Anyway, I blocked the IP at 13:02, when I saw the newest login attempts, however since then they have attempted to log in 3 more times so far – how is this possible when the IP is blocked? it’s the same IP every time.

This is POOR security and clearly doesn’t work.

See details of 3 login attempts after IP was blocked here.
See login attempts after blocked IP here.
See the number of login attempts here.
See my login attempt security settings here.
- This topic was modified 2 years, 10 months ago by sierrasixmedia.

Viewing 3 replies - 1 through 3 (of 3 total)

Plugin Support wfphil
(@wfphil)

2 years, 10 months ago

Hi @jadebartholomew

Wordfence is working correctly due to your misunderstanding of how the plugin operates.

Before you blocked the IP address the block reason was “blocked by Wordfence Security Network”. That blocking is due to the option Participate in the Real-Time Wordfence Security Network found in the Brute Force Protection section on the All Options page

Enabling this feature causes your site to anonymously share data with Wordfence about hack attempts. In return, your WordPress site receives the IP address information of hackers that are currently engaged in brute force hacking activity so that your site can immediately block those hackers before they are able to engage in a brute force attack on your site.

https://www.wordfence.com/help/firewall/brute-force/#wordfence-security-network

After you blocked the IP address, the block reason changed to “blocked for Manual block by administrator”. This block reason is shown because you manually blocked the IP address.

When you said, “Anyway, I blocked the IP at 13:02, when I saw the newest login attempts, however since then they have attempted to log in 3 more times so far – how is this possible when the IP is blocked? it’s the same IP every time.”

That is not correct as they were not login attempts. The IP address was immediately blocked when sending a request for the login page URL. The login page would not have loaded, instead, a Wordfence block page would have been served to the IP address.
Thread Starter sierrasixmedia
(@jadebartholomew)

2 years, 10 months ago
Hello @wfphil

I’m afraid I’m gonna have to disagree with you, these were in fact login attempts – I received multiple notifications about it.

Funnily enough, we just had an attempted log in and another plugin alerted me to the failed login attempt.

As you can see here these are being flagged as attempted logins with incorrect password use.

See photos linked.

Every other time that I have blocked an IP the attempts to access the site stop immediately however yesterdays just continued?
- This reply was modified 2 years, 10 months ago by sierrasixmedia.
Plugin Support wfphil
(@wfphil)

2 years, 9 months ago

Hi jadebartholomew

Thank you for the update.

Your screenshot of the Wordfence Live Traffic page feed is showing that Wordfence is working as outlined in my last reply based on the block reasons shown in red.

With regards to the notifications from the other plugin, only two of them show an IP address:

139.59.115.0
157.230.248.0

Your Wordfence Live Traffic page feed is not showing any hits for those two IP addresses. If you search for them using the advanced IP filter then you will see failed login attempts if they have not been blocked based on Wordfence settings. For the notifications from the other plugin without any IP address, then the bot carrying out those login attempts may be cycling through a large pool of IP addresses that they have access to.

Brute force login attacks are one of the most common attacks that we see and are normal. We see millions of brute force login attempts per hour on WordPress sites protected with Wordfence. Wordfence is set up to do all of the blocking automatically so that you don’t have to. We don’t recommend manually blocking a lot of IP addresses manually as it is generally an ineffective security strategy. Make sure to read the link Ask Wordfence: Should I Permanently Block IPs That I See Wordfence Blocking?

https://www.wordfence.com/help/blocking/#ip-address

Set our recommended brute force protection rules. Instructions are in the link below. You can quickly find these options in the Brute Force Protection section on the All Options page:

https://www.wordfence.com/help/firewall/brute-force/

These rules also protect the WordPress XML-RPC interface:

https://www.wordfence.com/blog/2017/01/xmlrpc-wp-login-brute-force/

Enable two-factor authentication for administrators and those with high-level access e.g. with publisher access. This feature is on the Login Security page. Instructions are in the link below:

https://www.wordfence.com/help/tools/two-factor-authentication/

If there are a large amount of login attempts for the same username coming from a large pool of IP addresses then you can also enable the Google reCAPTCHA feature found on the Login Security >> Settings page.

https://www.wordfence.com/help/login-security/#captcha-options

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Blocked IP is still accessing site?’ is closed to new replies.

Tags