Blocking a range doesn’t work

Hi,
I’ve just checked the “IP range” option in (Wordfence > Advanced Blocking) and I confirm it’s working as it should, I got “blocked for UA/Referrer/IP Range not allowed” in my “Live Traffic” log, it could be that Wordfence on your website can’t detect IP addresses correctly, this can be easily checked by following these steps:
– Open your website link in a new browser window while not being logged in. (for example, Chrome incognito mode).
– Then check your visit in “Live Traffic” log and make sure it shows your correct IP address.

If you didn’t get your correct IP address, then you you will have to adjust “How does Wordfence get IPs” option.

It will be helpful too if you can share a screenshot showing this entry you got for that bot in “Live Traffic”.

Thanks.

Hi,

Thanks for answering.

I have checked and my website can detect IP addresses correctly. But the entry I got in “Live Traffic” was five days ago so I can’t take a screenshot.

But I promise you, it was there in my “Live Traffic” log ?? at the same time as other IP addresses were correctly “blocked for UA/Referrer/IP Range not allowed”.

Thanks

It might have been so that the moment the blocked IP address was shown as a bot, coincided with that I was experimenting with password protection at the web server (I’m not shure I’m expressing this right in English). If that can be an explanation I guess this ticket can be marked as solved.

I’m not really sure I can understand what do you mean with “password protection at the web server”, but of course let me know if you ever have this issue again.

Thanks.

I meant password protect public_html.

I will try to reproduce the problem and create a new ticket if I succeed.

Hi again @wfalaa

I have screenshots of the same thing happening again and I publish them here instead of opening a new ticket as I wrote earlier.

So I have a range blocked as you can see in the screenshot below. No hits are registered.

But an IP number within that range shows up in Live Traffic marked grey (bot), not as Blocked.

Bug?

EDIT
Can’t make the screenshots show in this post. Direct links here:

Advanced blocking
https://www.dropbox.com/s/xybaucu9gd08vat/AdvancedBlocking.png?dl=0
Live Traffic
https://www.dropbox.com/s/z1gxmdtub3zq8i3/LiveTraffic.png?dl=0

• This reply was modified 7 years, 11 months ago by NilsOstergren.
• This reply was modified 7 years, 11 months ago by NilsOstergren.

Do you have a user on your website called “Nils”? an administrator user?

Thanks.

Yes. And a user.

• This reply was modified 7 years, 11 months ago by NilsOstergren.

I’ve just double checked this one and this admin user should be blocked as well, unless his IP is also whitelisted in “Wordfence > Options => Whitelisted IP addresses that bypass all rules”, please re-check this for me.

Also, is that the only entry you can see in “Live Traffic”? I mean this “Nils” entry only with this IP?

Thanks.

My site has two users. I’m both (admin and user with limited rights).

The IP address from which I connect to the server where my WP-installation is running is whitelisted and bypass all rules. But my IP address is not the same as the one that is shown in the three entrys from Pakistan that are shown in Live Traffic.

The blacked out username in the third wisit from Pakistan shown in my screenshot is not the Admin’s username. It’s the limited user’s.

I have “Don’t let WordPress reveal valid users in login errors” enabled.

In Live Traffic I can right now see many similar entrys (15 within 12 hours) marked grey (bots according to WFs color scheme) where an IP address is logged three times in a row as
1: visiting /xmlrpc.php
2: visiting /wp-login.php
3: adding “Nils” to the name of the place of origin and attempt a failed login with the username of my sites only limited user.

No one of the IP addresses behaving like that that I can see right now (from India, Turkey, Portugal etc) are within ranges I have blocked. So right now I can’t show you entrys that should have been blocked immediatly.

I can add that in Options I have set “Lock out after how many login failures” to one (1). And i have the plugin Disable XML-RPC enabled.

• This reply was modified 7 years, 11 months ago by NilsOstergren.
• This reply was modified 7 years, 11 months ago by NilsOstergren.
• This reply was modified 7 years, 11 months ago by NilsOstergren.
• This reply was modified 7 years, 11 months ago by NilsOstergren. Reason: Adding details

One more thing:

When I press the “Block this IP” button on the 3-times-visitors mentioned above, they show up on the page “Wordfence Blocked IPs” as they should. But it says “2 hits before blocked”. Shouldn’t it be 3?