Blocked IPs still trying (thousands of access attempts)

  • Resolved Emmageddon

    (@emmageddon)


    2 years, 4 months ago

    Hello, I blocked two IP’s a few days ago on a client’s site but my live traffic is still flooded by attempts by them. So much so that I can not see any other traffic coming through.

    The IP’s are:
    13.67.224.13 and 20.29.110.170 (7269 block count on that IP alone)

    Both are flagged on abuseIP:
    https://www.abuseipdb.com/check/20.109.241.82 and https://www.abuseipdb.com/check/13.67.224.14

    They are predominately trying to access a plugin (cookies for comments) that is non-existent on my clients site. I have thousands of access attempts by them since they were blocked. But they are still attempting every few seconds.

    How can I stop them once and for all?

    • This topic was modified 2 years, 4 months ago by Emmageddon.
    • This topic was modified 2 years, 4 months ago by Emmageddon.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter Emmageddon

    (@emmageddon)

    Oh actually there are three. I mentioned: 20.29.110.170 which is also flagged on abuseip with the same pattern as the others (20.109.241.82, 13.67.224.13):https://www.abuseipdb.com/check/20.29.110.170

    Plugin Support wfpeter

    (@wfpeter)

    Hi @emmageddon, I appreciate the detailed information you’ve provided here and sorry to see your site is being bombarded with attempts.

    It’s quite normal to see requests like this, as frustrating as that can be, as many would-be attackers will simply probe a site in an automated fashion. Usually, there’s a hit-and-hope approach to this (as you’re seeing) rather than prior inside knowledge of your files, plugins or the platform you’re running the site on.

    Wordfence is an endpoint firewall, so can catch/restrict/block users using Brute Force or Rate Limiting settings, but at the point your site tries to host content to them using PHP. Restrictions therefore are possible, but it can’t stop the requests from initially hitting your site, even if it ends up blocking them.

    Generally we feel a manual blocking regime is unnecessary, but if you have access to a firewall or load balancer on your hosting plan which is able to block these specific IPs manually, you could try blocking the recurrent ones you’re seeing here. This means the IP could be stopped before any site content is served, before Wordfence is loaded so will effectively hide these IPs from Live Traffic. If that’s not an option, you could permanently block the IPs on your Wordfence > Blocking page, then comma-separate the IPs in your Wordfence > Live Traffic > List of comma separated IP addresses to ignore option to clear the visual clutter. This option doesn’t stop Wordfence from taking action against the IP(s) in question, just showing it to you.

    Thanks,

    Peter.

    Thread Starter Emmageddon

    (@emmageddon)

    Hi @wfpeter – I tend to block IP’s that are showing a persistent behaviour. Probably over cautious but this is a big site for a client and before we had Wordfence we were the victim of a terroristic cyber attack years ago, so I’m overly cautious for a reason. ??

    Thank you for the detailed information on how to stop seeing these IP’s within Live Traffic. I will have a look at these solutions today and hopefully it will stop them dropping into the feed (they’re still going).

    Appreciate the help as always. If this fixes the issue I will mark this as resolved. ??

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Blocked IPs still trying (thousands of access attempts)’ is closed to new replies.