How does this happen?

Elvira, I get confused by this as well. If I’m not mistaken, main thing to remember is that an IP can still visit your server despite whatever Wordfence is doing. Wordfence keeps that IP from getting any farther if it violates any Wordfence rules you’ve set up. In other words, that IP will see the Wordfence “blocked” message but it will still show in your server log. If you want to be more aggressive you have to block that IP number in your .htaccess file, or, at the server level in your server firewall. Does that make any sense?

Oh, also, if you install a login hide plugin such as WPS Hide Login, know that since that prevents access to wp-login.php, a bot that attacks wp-login.php will never get to the point where they violate your login rules, and thus will not be blocked by Wordfence! Confusing, you bet. And a big reason why Wordfence needs to have its own option to hide wp-login.php.

In my case, I’ve done a lot of experimenting and prefer to hide wp-login.php and let my server absorb the hits. And again, even if Wordfence block was triggered, the bot can still keep hitting your server as frequently as they desire — only difference is they’d see the Wordfence “blocked” message instead of the server error page.

MTN

Thank you again for your response – I understand now. I’ve blocked it on the server, but am afraid that it’s likely it was a one-off use of that particular IP, don’t you think? I have now designated a larger block, putting 1-255 for the last number, which shouldn’t I hope block anyone legit. But all this seems like stable doors and unlimited supplies of bolting horses…

Yeah, you’re usually better not spending time on individual IP blocks (otherwise known as whack-a-mole), instead depend on programmatic solutions (Wordfence), strong passwords, good backups, etc. Country blocking is a super important part of that, as is using Premium Wordfence in general…

The question is, how much cost are we willing to spend in terms of taking away from our time creating content, and instead defending our websites? I was spending up to 20 hours a week before I got Wordfence working. Now I spend probably 7 hours a week on backend tasks directly related to security.

MTN

I just long for the dear old days of simple html. I still have a couple of sites working that date back well over ten years, they don’t look brilliant on phone screens but they do a very simple job and no-one ever attacks them….

I shall have to consider Premium Wordfence, though the charities I’ve made the sites for can’t really afford it. It does seem not only grossly unfair but deeply stupid that a site that has absolutely no financial assets whatsoever should be so relentlessly attacked.

heigho, onwards and upwards. Thank you again for your engagement.

Hi @elvirakate
What was mentioned by MTN is correct, most of the 1000 hits could have just received the “503” response for being locked out, however this will be logged in your server access log file.

I know you have mentioned that this attack was on “wp-login.php”, but I thought this is a good chance to let you know about XML-RPC Brute Force attacks and whether you can Disable XML-RPC or not.

Thanks.

Hi wfalaa, thank you for this In fact the attacks on xml-rpc are always just one at a time. They don’t bother me as much as the wp-login.php ones. Yes, all the hits got a 503 response – but that doesn’t stop the server complaining.

If you keep getting such attacks with that rate of “1000 times in a couple of minutes” regularly and you are on a shared hosting plan, then this will indeed affect your server performance, your hosting provider should protect your website from such attacks though! limiting rules can be set on a higher level (your server) that should be helpful in terms of reducing the server resources utilization.

Thanks.