Blocking/throtteling not working

Ok, testing completed, over 5 hours I did not get one “Throttle.” My conclusion is that for my installation of Wordfence, Throttling is broken. I’m dealing with this on a Premium help ticket as well, will be happy to share solution here when and if it happens. Meanwhile, I’ll refrain from any more posting on this thread. MTN

Hello,

I appreciate what you are stating,
however we have never had this heavy number of visitors being blocked by login settings ever before.

I’m talking about between 20-30 per day vs 2-3 per day
only a few weeks ago

That is 1000% increase in matter of couple of weeks !!!

1) Is there something newly added to WordFence that is causing this high volume reporting of blockage.

2) Is it possible that the settings are too strict or wrong and therefore it should be modified ?

If so by looking at the currently existing setting here
https://easycaptures.com/fs/uploaded/929/3376926605.png
what are the change or modification that would be best to implement ?

Your input will be much appreciated

Many thanks

@yanky83: Is your own IP in the whitelist field on the Wordfence options page, in the Other Options section? That would cause your tests to always make it through. Otherwise, if the live traffic view is showing the correct visitor IPs, then it’s almost certain that another plugin is preventing the blocking from working as it should.

If the IPs aren’t the true visitor IPs, the host could have a reverse proxy — if the reverse proxy has a private IP, then it might be whitelisted by default, since it’s on the internal network. There are some details on reverse proxies here that may help:
Reverse proxy troubleshooting

We do currently have some issues with the human / bot detection, and it seems worse if caching is involved — our dev team will be addressing those issues soon.

@android1pro: 1 per second is probably too strict unless there is a specific problem you’re trying to address. The difference might just be a coordinated attack — when an attacker running a botnet targets a site, they can hit it often from a large number of IPs, sometimes for days or weeks at a time.

-Matt R

In your reply you indicated that
“1 per second is probably too strict unless there is a specific
problem you’re trying to address.”
So I adjusted the setting to this
https://easycaptures.com/fs/uploaded/935/3534738049.jpg
I would really appreciate good detailed honest input on how to improve
it further
Keep up the good work

Hi Matt,
Still has yet to receive your reply regarding issue detailed above.

Your prompt reply will be appreciated

@android1pro: Yes, that will probably work better for most sites. If you do continue having trouble, check out the link about “reverse proxy troubleshooting” in an earlier post, above — with a reverse proxy (set up by the host, or in addition to your hosting plan), in some cases, Wordfence can only see the proxy’s IP for all visits, instead of the visitors’ own IPs.

-Matt R

Thank you Matt,

How to go about uploading a list of 70 IP that would like to be blocked?

Can this be done successfully in option part
and if so how exactly to do that accurately and correctly?

Again your prompt detailed reply with accurate correct solution,will be apprecaited

It is not currently possible to upload a list of IPs to block. If the IPs are blocked already on another site, you can use the Export button at the bottom of the Wordfence options page, and then import the settings on another site — but the other settings for that site will be copied as well.

-Matt R

1) Why not Matt?
Given the high advanced features already built in WF,having something like uploading notepad IP list is only basic necessity that should of been there long before many other features

2) Why the powerful feature of Advanced blocking not working at all,
as every time I tried to enter a new host name and save it, it never shows up on the list of blocked item on advanced blocking page.
Can you manage to fix this once and for all ??

Android, if you’re asking for a list of top criminal IP addresses to input into Wordfence, that’s what the WF option “Participate in the Real-Time WordPress Security Network” is supposed to be taking care of. It’s imperfect.

I get a lot of attacks on my websites, and I research what has not been blocked by Wordfence. More times than not the bad IP numbers that slip past Wordfence are already on various well known block lists.

See https://www.tcpiputils.com/browse/ip-address

This is a flaw in Wordrence in my opinion. As things get worse in the bot-apocalypse (which will eventually shut down the whole internet, so be ready with a few good books and tickets to the Med), the block lists become ever more important and at least a couple (or more) need to be integrated into Wordfence.

To be fair, the Wordfence block list is probably amazing — but it’s also a bit disconcerting to see what slips through.

Note, if you want to really get radical, and have “notepad” IP block lists, it’s best to just install those your top level server firewall rather than dinking around with Wordfence or .htaccess. Check with ISP tech support. In my case I use IP Tables with front end CSF server firewall.

If you can get access to your server firewall, you might be surprised how many attacks are not directly going after your WordPress install, but rather are doing brute force attacks on your FTP login at server level. Wordfence does nothing about that. Huge flaw in the system, IMHO.

MTN

Thank you MTN for your insightful reply with solutions to help, given the massive huge amount of attacks from bots and scrappers that we all are under these days.

Just to clarify, are you suggesting to use the list https://www.tcpiputils.com/browse/ip-address

as a starting point to block each of IP on the list,
by for example entering it on WF at least for now.

If so what other lists that you are aware of,that can help with that effort.

Once again,
Many thanks and keep up the good work of sharing your insights to help protect sites from the relentless attacks we are all under.

Android, tcpiputils checks if the IP number is on any of a large group of block lists, once you input the IP number there, click the links on the results page to see full information. Idea is you can see if an IP you are researching needs to be manually blocked, what country it’s coming from, etc. It’s just another tool, can take too much time if you’re not careful, but it’s useful.

MTN

Hi all,

Version 6.1.8 was released today and includes an improvement for human vs. bot detection, and clarifies the drop-down lists for throttling (measured per minute, not with both minutes and seconds).

@android1pro: The import option is on our list of possible features to implement (reference number FB875), but it really offers limited benefit for most users — there are hundreds of thousands of bad IPs, so there’s a good chance that if one site is attacked by an IP, another site might not ever see an attack from that same IP.

For the issue with Advanced Blocking not working, please make a new post using the form at the bottom of the Wordfence forum here. (The www.remarpro.com forum rules ask us to keep each person’s issues separate, and it also helps us keep track of open issues, so no one gets skipped in long posts. The original post above actually belonged to a different user.) Thanks!

@mountainguy2: When you said that Wordfence does nothing about FTP, I’m not sure if you mean it should, or that the server software should be designed to better protect FTP by itself. It’s not possible for a WordPress plugin alone to protect FTP, and building integration for that would benefit a small percentage of users, since many website owners don’t have root on their sites’ servers.

If anyone but @yanky83 still has an issue with blocking/throttling, please make a new post instead of replying here. (You can include a link to this post for reference if needed.) Thanks!

-Matt R

Ok Matt, clear.