False Positive Block of CloudFlare

Hello,

Thank you for taking the necessary time to explain well solution to vital issues,
I truly appreciate it.

However now despite selection of “CF-Connecting-IP” option which was suppose to resolve issue of showing the actual IP address of visitors and thus eliminate false positive of blocking by WordFence of legit site users.

Now still many user are getting trapped “blocked” due to same reason of
“POST received with blank user-agent and referer”
which you can clearly see in thisscreenshot taken just now
https://easycaptures.com/fs/uploaded/911/4606879435.jpg

Your prompt detailed reply with a working solution will be much apprciated

If you open another browser where you are not logged in to wp-admin and visit your site in that browser, can you see your request and your correct IP-address in Live Traffic?

You can find more information about how to perform this test here.

Hi,

After running for 24 hours with CloudFlare paused for 24 hours.

Here are the results:
https://easycaptures.com/fs/uploaded/915/8470874303.jpg

Where you can clearly see large amount of blank referral

What is the best solution to implement,
in order to avoid all those false positive ?

Hi,

Now all of a sudden I ‘m getting a ton of false positive blocking of legit users getting blocked for using the exact same login word “test”

How can so many users be using the same word test to login from so many different countries IP ?

What is your best explanation and solution for this vital issue ?

Keep up the good work of protecting sites !

Here is the screenshot proof of blocked visitors who are using “test” to login

https://easycaptures.com/fs/uploaded/916/2412674866.jpg

Here is the screenshot proof of blocked visitors who are using “test” to login

https://easycaptures.com/fs/uploaded/916/2412674866.jpg

Hello android1pro,
I am assuming “test” is not a real user that is supposed to be logging in on your website? So how is it a false positive?

Hello,

A lot of blocking has been happening (more than usual) in past 48-72 hours.

Here is complete screenshot of Word Fence options settings
https://easycaptures.com/fs/uploaded/929/3376926605.png

Keep up the good work of helping sites continue to be optimally working safely.

Your prompt reply with best solution to this vital issue,
will be much appreciated.

More specifically here is a sample IP list of “blocked by login security settings”

https://easycaptures.com/fs/uploaded/930/7050606013.jpg

So the question now is this:

Q:is this unusual high level of excessive blocking is due to:
A) Real visitors hackers trying to hack due to bad traffic from actual hackers
B) Bad WordFence setting that is causing this
C) Both of above

IF so what is your best solution ???

Hello android1pro,
all those are bruteforce attempts from “hackers”. That they are being blocked just shows that Wordfence is doing what it is supposed to be doing (stopping them). How many blocks you have depends on how many attacks you have and this will constantly vary depending on how active the “bad guys” are at a certain point in time.

Thanks again for the prompt answer

I appreciate what you are stating,
however we have never had this heavy number of visitors being blocked by login settings ever before.

I’m talking about between 20-30 per day vs 2-3 per day
only a few weeks ago

That is 1000% increase in matter of couple of weeks !!!

1) Is there something newly added to WordFence that is causing this high volume reporting of blockage.

2) Is it possible that the settings are too strict and therefore it should be modified ?

If so by looking at the currently existing setting here
https://easycaptures.com/fs/uploaded/929/3376926605.png
what are the change or modification that would be best to implement ?

Keep up the good work of helping sites continue to be optimally working safely.

Hello android1pro,
your settings look fine. Unless you are having legitimate users report that they are not able to reach your site or log in to your site there is nothing to worry about. A 1000% increase in brute force attacks is not uncommon.

Hello,

Are you sure ?

There could be something wrong because the blocking is really intense now as it has gone another 1000% increase on top of previous 1000% last week alone !!!!

Care to explain the following (please be honest if you don’t know or not sure):

1) Why now WF does not even categorize the blocking or tell why these visitors were blocked ?

2) Also the NEWLY alleged hackers are now very random from everywhere as opposed to from specific few countries last week??

3) What is the best solution or setting to stop scrappers from scrapping the site?

Again your helpful prompt insights will be appreciated
Keep up the good work !

Hello again,
1. Wordfence shows you the reason. It is stated in the screenshot you provided “Blocked by login security setting”. This means something in the Wordfence Options page under the section “Login Security Options”.

2. Yes, the more “serious” attackers will change IP with every request so you will get requests from many different locations.

3. If you see scrapers they usually have one or a few IPs that they always use so you can block those IPs.