How to lock out a country

Good evening @norwood451,

The reality of running a WordPress site is that there are people in the world with way too much time on their hands, and this behavior is a daily reality for us as operators.

By using the “banned users” option you can permanently block a list compromised ISP’s but there’s no automated way of blocking IP traffic from a given country.

I have nearly 3,000 blocked ranges in my banned users list which takes a little bit of maintenance to keep it up to date, but I have a good workflow and it’s easy to maintain.

The tools I use are;

https://www.iplocation.net/ to identify a origin country
https://jodies.de/ipcalc to work out CIDR ranges during optimisatio of the list

Three tips I’ll give you are;

Harden your iThemes Security install by going through as many of the options that you can – installing the plugin isn’t enough, it needs configured.

Whitelist the IP address ranges given by your ISP at home/work so that you can still log in to your sites if a hacker guesses your login name

Create a 2nd admin account that can’t be easily guessed, using a unique email address connected to your domain that you haven’t used anywhere else, like your dog/cats/child’s name @yourdomain.com for example.

Install the “Disable XMLRPC” plugin which covers another popular vulnerability in WordPress

Hey Marartisan. thanx for the reply. I AM glad you pointed opu the xmlrpc, as I did not have that correct in itheams.

The reson for the post, was that I received over 200 emails in the last day from attempts of getting into my site using ADMIN, which does not exist and if someone tries, they would be locked out. However 200 is a significant amount and has been going on every minute since I posted. I suspect I am not the only site being bombarded with attacks. I am not sure the impact of so many attempts to access my login- but it cannot be good.

As mentioned in the first post, these attacks are coming from Russia. You tools are not clear on how to use to block countries. Please advise.

Good evening @norwood451 – IP addresses are assigned by RIPE in Amsterdam to each ISP and any business/government/NGO who operate internet facing equipment, so trying to block at a country level isn’t that easy as the IP addresses have been assigned sequentially every time someone applies for a range, not on a regional basis.

I’ve found the best way to block hackers is to list the entire /16 IP address range that they’ve compromised and that cuts down a lot of the noise, but you need to understand how IP addresses and associated CIDR notation works.

To give you head start, here’s my list of banned users approx 2850 of compromised servers – click the “banned users” hyperlink at https://artisanfoodmarketing.ie/banned-users/

Take this text file and copy it in to your banned users list. Once saved, go to your installed plugins, and restart iThemes Security (deactivate and then immediately restart again).

Let me know if this works for you.

Hi again. Well I was getting on hack per minute from Asia and Russia. I contacted my host WPengine and they were able to block the offending countries. The site lockout notification emails have stopped. FYI: ALL were lock out trying to get in with ADMIN. So, not a good idea to have that has your login. My developer was very stupid about security and I was hacked and, yes because I used admin as my login. I also did not have 2fa set up, which was a big mistake as well and I COULD Not have 2 fact with the host x10, which is the very worst for security.

There was not reason for them or anyone to be logging into my site.

The take home message for anyone reading this is get a good host and itheams

Best

Wow that is a nice list. I checked my list of 300 to your list and there were no duplicates. here is my list of 300.

Why do I need to turn off/on ithemes?

1.10.203.161
101.24.120.254
101.24.122.231
101.24.123.183
101.24.129.96
101.68.126.66
101.68.4.141
103.221.73.107
104.237.242.40
104.237.242.59
105.111.115.51
105.158.219.142
106.114.62.181
106.114.62.218
106.114.63.13
106.114.63.185
106.114.63.89
106.114.64.25
106.114.66.0
106.114.67.165
106.114.68.64
106.114.70.87
106.114.71.234
106.114.71.72
106.114.71.96
106.47.162.39
106.47.171.154
107.150.49.58
107.175.230.186
107.77.70.24
108.95.114.130
109.101.57.8
109.63.136.233
109.63.157.125
110.159.140.191
111.162.144.38
111.162.146.30
111.162.151.202
111.162.157.229
111.93.78.133
112.135.67.61
112.201.199.206
112.208.60.145
112.211.121.9
112.64.209.222
112.65.5.240
112.65.5.252
112.65.6.171
112.65.6.75
112.65.7.207
112.80.173.111
112.80.211.51
112.80.215.49
114.221.124.156
114.221.124.77
114.221.125.125
114.221.125.157
114.221.125.33
114.221.125.60
114.221.126.152
114.221.126.26
115.198.200.241
115.198.203.30
115.198.205.214
115.198.206.222
115.204.88.106
115.204.93.210
116.68.103.93
116.75.13.141
117.13.170.16
117.14.146.95
117.14.149.152
117.14.151.194
117.14.154.40
117.14.155.128
117.220.232.106
117.88.106.152
117.88.107.124
117.88.107.164
117.88.107.2
117.88.107.81
118.172.202.161
118.96.173.114
120.151.235.43
122.114.89.157
122.164.222.20
122.233.178.54
122.233.179.90
122.233.180.85
122.235.189.185
122.53.42.77
122.96.125.6
122.96.127.78
122.96.20.236
122.96.20.73
122.96.23.218
123.157.193.119
123.157.193.145
123.157.193.249
124.236.173.195
124.236.174.241
124.236.175.0
124.236.176.174
124.236.176.36
124.236.176.65
124.236.177.0
124.90.49.55
124.90.52.209
124.90.53.132
124.90.55.46
125.118.6.106
125.118.7.180
125.119.12.193
125.119.221.110
125.119.221.240
125.119.9.221
125.64.94.206
130.105.170.80
137.97.11.248
139.218.46.171
139.226.100.25
139.226.182.202
139.227.100.151
145.131.204.245
146.185.223.173
149.255.104.162
149.255.104.227
151.40.10.92
153.219.73.23
155.133.16.129
156.201.76.44
158.69.184.49
163.172.52.168
165.255.99.237
168.235.197.44
168.235.201.222
169.0.207.240
172.97.181.154
173.208.169.26
174.0.208.17
176.195.237.215
177.89.22.49
178.148.87.10
178.220.74.68
180.190.66.92
180.212.103.50
180.212.200.127
180.212.205.215
180.212.212.194
180.212.213.29
180.213.101.119
180.213.106.152
180.213.107.161
180.213.108.17
180.213.117.37
180.213.122.42
182.181.44.34
182.20.151.119
183.157.84.151
183.157.86.29
185.104.252.146
185.119.81.24
185.119.81.39
185.119.81.50
185.85.191.196
185.85.238.244
185.85.239.110
185.85.239.130
185.85.239.157
185.85.239.195
185.86.5.199
187.112.250.229
188.127.118.36
188.129.4.142
188.138.11.19
188.255.16.233
189.26.202.86
192.243.53.20
192.99.147.201
193.201.224.205
195.136.38.2
195.154.186.49
195.22.127.139
195.22.127.140
195.22.127.195
195.22.127.196
195.22.127.227
197.159.210.197
197.30.3.215
198.71.237.7
202.71.138.242
202.80.215.111
202.89.132.216
206.123.146.196
212.79.147.41
220.248.66.94
221.160.148.62
221.197.252.131
221.197.253.81
221.198.80.154
223.166.244.192
223.166.96.46
223.166.99.160
223.167.245.95
223.167.98.116
24.193.232.109
27.154.67.21
34.201.13.176
36.106.250.239
37.187.56.47
37.210.255.177
37.252.248.93
37.44.13.50
39.44.35.2
39.46.25.224
39.50.215.223
39.60.104.117
41.104.25.43
41.45.64.23
42.122.0.150
42.122.0.50
42.122.1.156
42.122.11.87
42.122.8.167
45.246.93.142
45.32.108.18
45.36.244.110
46.161.9.35
46.183.216.205
47.23.186.190
47.9.9.6
47.90.48.48
5.178.132.158
5.29.14.89
5.39.219.52
5.39.219.53
5.39.219.89
5.66.4.118
51.15.10.29
58.212.106.5
58.229.249.151
59.183.27.98
59.97.48.23
60.1.123.225
60.1.124.190
60.1.124.46
60.1.127.32
60.1.128.106
60.1.133.95
60.186.108.39
60.186.192.9
60.186.195.71
60.50.239.43
61.181.2.202
61.181.2.215
62.150.126.30
62.39.234.2
65.87.224.3
69.147.248.251
72.89.55.83
73.30.133.241
73.73.43.29
77.122.225.235
77.128.93.230
77.173.180.88
78.49.0.168
78.60.45.58
79.113.41.139
79.46.105.228
81.114.157.81
82.78.224.3
83.6.249.76
84.22.38.87
89.108.118.14
89.122.170.246
89.122.204.41
89.238.188.167
89.45.102.79
89.78.251.98
90.64.87.114
91.108.65.175
91.187.106.36
91.200.12.185
91.200.12.33
92.53.29.97
92.84.39.46
92.99.89.62
93.46.48.155
93.87.101.79
93.95.227.210
95.28.172.247
97.106.77.100
185.85.239.156
170.130.63.194
183.128.216.31
178.159.242.91
198.71.235.77
192.243.48.187
91.203.135.229
45.40.165.39
94.73.144.133
111.162.138.227
95.7.254.2
220.227.38.147
49.206.221.102
196.29.37.34
192.228.216.166
122.8.172.107
71.181.59.227
128.68.129.55
75.165.48.95
106.114.67.253
47.200.58.28
185.86.13.213

FYI you have an issue with your site – shows error on every page except the page you gave me.

I would have called you, but your contact page does not work.

You may want to test on someone elses computer. you are clearly blocking my ip in California

I can only get to your banned users page.

https://artisanfoodmarketing.ie/our-artisan-producers/

https://artisanfoodmarketing.ie/our-artisan-producers/derrycamma-farm-foods/

FYI- your site is 100% down with error showing one each page.

Hey @norwood451 how are you doing today?

I’m probably blocking your ISP, what’s your IP range?

I took your list and optimised it down to to 230 and added 215 unique lines to my existing list and I’ve updated the list on my site at https://www.artisanfoodmarketing.ie/banned-users/

not sure. https://www.dnorwood.com is my web site. It it is possible, but I would be surprised if you are blocking California. You may want to have a friend check besides me.

FYI: I was able to see your list and then I could not. That is very odd.

If it is true you are blocking CA, by mistake, you may want to rethink your ip address banded list.. My is is from known individual attackers from my logs.

Also, my host WPengine has some blocking tools for countries and now no unauthorized users for going on 20 hours now. You may want to change hosts if the one you have does not have any tools. I was told Cloudflare.com will block entire countries, and has a free service option. Not sure how good the free service is, but may be an option.

Hey @dnorwood

Your ISP WPengine use an outfit called Cloudflare for their IP transit and I have all 525 ranges blocked as I was getting pissed off by hackers within that network attacking me.

I’ll look into unwinding that over the weekend.

Hope the real estate business is good and by the way, you have a spelling mistake on your front page, your developer spelt your name wrong on the 2nd last line.

Best fishes

@markartisan

Thanx for pointing out the typo on the contact. Funny I did not notice and it is my name.

Hey @norwood451 – Glad to be of service sir ??

— FYI I still cannot access your site. you may want to fix that, as you may be blocking potential buyers.