Confusing reported activity blocks in WF emails

  • Resolved i1100a

    (@i1100a)


    4 years, 3 months ago

    I get activity reports daily from my website which typically list the Top 10 IPs Blocked. The info seems potentially useful but I’ve found it confusing enough not to be able to make any use of it so far.

    A screenshot for reference: https://share.getcloudapp.com/jkuYEDg9

    1. I went into Wordfence -> Tools -> Live Traffic: Show Advanced Filters, then select IP for the dropdown, =, and type the IP address(es) in the field, everytime I get a “No requests to report yet.” message. https://share.getcloudapp.com/P8um8yp6

    “Amount of Live Traffic data to store (number of rows)” is set to 5000 and Maximum days to keep Live Traffic data is set to “20”. Given the fact this is a daily email, I can’t understand why I’m not getting any info about the reported IPs and why they were blocked. Am I overlooking some other setting?

    2. What does the block count number mean exactly? I’m guessing the amount of times an IP was reported in the last 24 hours. Is that correct? If so, it makes me curious how can the same IP be blocked +170 times in that period. Has it been blocked and unblocked all those times in a day? Can you guys please elaborate about this number and where it’s coming from?

    3. What does the “Update Blocked IPs” button below the Top 10 Blocked IPs table supposed to do? If I click it, it takes me to the Blocking section in WF where I see the current blocks but I don’t see any action taking place or even any of the Top 10 IPs there. What should I be looking at there?

    ***

    Thanks a lot in advance. I like the plugin a lot but the emails have been a bit confusing for me so far. Would love to use that information better!

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support WFAdam

    (@wfadam)

    Hello @i1100a and thanks for reaching out to us!

    To answer your questions:
    1. Which IP are you searching for? Is it one of the IPs that was previously blocked from the activity report? If you don’t filter by IP, are you seeing other Live Traffic events populating?
    2. When an IP is blocked, say for example they are attempting to Brute Force into your site, they are blocked for the time you have specified in your Brute Force Protection settings. Also, even though these IPs are blocked, when they hit your site, it will still record the traffic. The difference is, all they get is the Wordfence block message instead of your site.
    3. It does exactly that. It takes you to the block page for you to add any IPs that you might want to permanently block.

    Let me know if you have any other questions! I would be glad to assist you!

    Thanks!

    Thread Starter i1100a

    (@i1100a)

    Thanks for replying, @wfadam

    1. Yes, I’m searching for the IPs from the Top 10 IPs Blocked list in the report activity email. None of them were blocked and still return no results. If I don’t filter by IP I do see events populating normally. Not sure what’s happening…

    2 and 3. Noted. Thanks for clearing that up.

    Plugin Support WFAdam

    (@wfadam)

    So without filtering, you don’t see any Live Traffic hits?

    Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

    Thanks!

    Thread Starter i1100a

    (@i1100a)

    @wfadam I meant the opposite. Live Traffic displays traffic hits normally. Also if I try to filter by any of the IPs shown in the Live Traffic activity, it does filter them correctly. The problem is that the IPs coming from the Top 10 IPs Blocked list do not return any results which is where the whole confusion started for me.

    Plugin Support WFAdam

    (@wfadam)

    Can you send me a screenshot of the top IPs blocked? I would like to test them to make sure they are valid. How long have you had Wordfence installed? It could possibly be just burned into the table and needs to be cleaned.

    Thanks!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Confusing reported activity blocks in WF emails’ is closed to new replies.