Blocking/throtteling not working

I’m having this problem as well, my rate limit throttling is doing nothing. WF tech support has taken a look at it and no joy so far. Frustrating as that’s one of the better features of Wordfence, and works well for blocking content scrapers. Sigh. MTN

I am having this problem as well. I am wondering if this is a bug or if they moved these features to the paid level?

I’m on the paid level, still doesn’t work. Mine appears to actually have quit working a while ago (before the recent problematic upgrade), unfortunately I’d quit looking at it because it was working so well. Lesson, the better software appears to be working, the more time you should spend on it! MTN

In terms of debugging, troubleshooting the rate limiting is tough because how do you quickly test it live, without setting extreme settings that block legit traffic? MTN

Mhm, not even the paid version is working, that’s fairly upsetting.

I “tested” it by being under a ddos attack, and nothing got blocked or throttled. It didn’t even block, when I manually entered the wrong password like 20 times in a row.

That makes this plugin plain useless at the moment.

@plugin maintainer: any comment?

It’s been my experience over a fairly epic career in publishing that paid software is no better (and sometimes worse) than “free” versions. Sadly. As I’d love to pay more and get more… The WordPress plugin situation is a complete mess. What’s worst, and fortunatly doesn’t appear to be the case with Wordfence to their credit, is some plugin authors will publish a “free” plugin on www.remarpro.com then sell a paid version with the same name, but that’s actually a substantivly different piece of software that’s not vetted by the WordPress Repository and may have a totally differnt set of problems. Happened to me just a few weeks ago.

As for solving this problem with rate limiting not working in Wordfence, I still have no idea where to begin but I feel the wheels turning.

MTN

Spent about 3 hours trouble shooting. Here we go:

1. It appears that “Throttling” is either not working for me, or Wordfence doesn’t report it. I did all sorts of load testing and could not trigger it, meaning the website didn’t seem to slow down and I never got a Wordfence message.

2. If I set the rate limiting to “Block” I can trigger it and get blocked.

3. I had to set fairly conservative rate limiting settings before I could get blocked.

4. Testing was done by simply opening my site on a VPN on a laptop next to me here on my desk, and clicking stuff like a monkey on drugs (that’s what bots are, right?). To test the 404 blocking I made some broken links and clicked those until I got a blister.

I had pretty much everything set to “Throttling” hence I never saw anything happening. Looks like this bug involves the “Throttling” component of all this.

For now, my solution is to set everything to “Block” with conservative settings and watch site close to adjust for false positives.

MTN

Ok, with stricter settings and everything set to “Blocking” not “Throttling” I’m seeing some blocked IPs now coming in from the animals in the bot jungle, but still weird.

I’ve got the “Anyone’s request” rate limiting set to “120 per minute (2 per second”

But the bot that got blocked hit me 129 times before being blocked, at a rate of what appears to b more than 2 per second.

So, the mystery now is how the heck does Wordfence count hits? Over a minute period? Half a minute? An hour? If the count is over the space of a minute, they might as well get rid of the “x per second” information on the rate blocking settings, it just confuses.

MTN

@yanky83: If failed login attempts aren’t being shown, do you have any other security plugins on the site, or any custom .htaccess rules? Some captcha plugins may cause no failed login attempts to be shown, if bots are being blocked by a captcha, or if another security plugin is set up to block earlier. (Wordfence intentionally blocks later in the login process so that plugins that allow alternate login methods can do their work before it’s considered a failure.)

If you’re also having trouble with the throttling under the “rate limiting rules,” we’re investigating an issue with human vs. bot detection, that isn’t counting visits in the right category sometimes. (So if your rules for bots or for humans are more strict, then some visits may be counted under the more/less strict rules.)

@mountainguy2: I think we’re still discussing in the premium tickets — thanks for the input and details so far.

I’ve confirmed that the counting for throttling/blocking is done per minute, with the first number listed in the drop-down list being an actual number of hits. The second number in parentheses is the average, shown for reference.

-Matt R

Thanks Matt, yes, we are discussing in Premium Ticket. Am trying to contribute here as I think we are getting close to a botpocalypse that might possibly shut down most website publishers. That is unless companies such as Wordfence up their game to the max.

Thanks for clarifying how counting is done PER MINUTE.

MTN

I’d add that after all my testing, the “IPs who were recently throttled for accessing the site too frequently” still shows the last listing as about three months ago! Clearly, throttling is not working or I’m incredibly confused…
MTN

Hello,

no other plugins (no caching, lock outs, etc.)

In the life traffic view, the requests do log under bot/crawler traffic, but still dont seem to get limited/blocked. I have set all options for throttling – no change. I have looked at “recent traffic”, and it def. shows more traffic than the set limit for throttling, but no blocks are set. That is over a period of more than a minute.

No captcha plugins either. Even set the option to lock known user names after first fail – nothing happened – I can enter wrong passwords for admin as often as I want – no block.

Any logs/debug options I could investigate?

Dennis.

So, for the record here and to try and help solve problems, I googled “how does Wordfence throttling work?” And got the following, which I re-wrote for clarity. Matt, is the following correct?

How WF “Throttling” functions:
Example, you have a given Firewall Rate Limiting Rule set to “120 per minute.” A bot begins crawling, during that first minute, on the 121st time the bot hits, it receives a 503 error for all further hits during that same minute. When the next minute rolls around the bot in unblocked and can start hitting again, and if it again clocks more than 120 hits it again receives the 503. So, what “Throttling” actually does with this aggressive bot is limit it to 120 (completed) hits a minute.

(Technically, after being throttled the bot still “hits” links, only it doesn’t crawl any content after 120, it just gets the 503 error each time it hits/crawls a link, thus still using bandwidth only not so much?)

So simple, I missed it, and thought it was a more complex behavior.

During my testing I might have observed the Throttling actually working, but definitely did NOT see it reported under “Blocked IPs”.

So the defect in Wordfence that I’m experiencing might simply be that Throttling does work, only it doesn’t get reported.

Clearly, if Rate Limiting rules are set to Block instead of Throttle, they’d help with a DOS attack? Not so clear if throttling would help, as it still allows the bot to hit/crawl? Confusing.

I’ve been shut down a couple of times by DOS attacks over the past few years, so am very interested in anything that can actually defend.

MTN

I verified I have a rate limiting block that’s consistently blocking bots while set to “Block.” I just switched it to “Throttle” for a final test if Wordfence is functioning correctly for throttling. Will report back. MTN