Blocking IPs after a single attack attempt

  • Resolved benpl

    (@benpl)


    3 years, 5 months ago

    I have received a Wordfence Alert about increased attack rate. What surprised me was that even though they came from a single IP, Wordfence did not block that IP even after over 100 SQL Injection attempts and only blocked some of the SQLI attempts from working.

    I’m not the person who initially set up this WordPress installation and configured Wordfence, so I’m not aware of all option that were changed. I’ve looked through all the options in Wordfence, but have not seen anything that looked an option to permanently ban an IP after a single attack attempt.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfphil

    (@wfphil)

    Hi @benpl

    Blocks that are triggered by a firewall rule do not have a block time assigned to them.

    You can manually block IP addresses if you want to but make sure to read the article Ask Wordfence: Should I Permanently Block IPs That I See Wordfence Blocking? in our IP address blocking documentation below:

    https://www.wordfence.com/help/blocking/#ip-address

    Thread Starter benpl

    (@benpl)

    Hi, thank you.
    Is this something that’s available in the premium version?

    A fair amount of fairly benign SQLI attempts was allowed through by Wordfence, which suggest that unless there’s a specific rule, SQLIs in general do not get blocked.

    A block after a single attack would prevent the attacker from executing something Wordfence is unaware off.

    Plugin Support wfphil

    (@wfphil)

    Hi @benpl

    Thank you for the update.

    The same functionality exists in the premium version and how the firewall rules are designed to work.

    The generic SQL Injection rule is intended to prevent the kind of complex queries that are necessary to extract sensitive information, and without running into a large amount of false positives. But this means that there are some requests that are technically SQLi that it won’t catch because they are not actually going to give an attacker any useful information.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Blocking IPs after a single attack attempt’ is closed to new replies.