“Immediately block IP” Not Working?

Hi @hftobeason,

When blocking IPs via this option, an IP will be blocked for the duration you have specified under Wordfence > All Options > Rate Limiting Rules > How long is an IP address blocked when it breaks a rule, so you may notice the consecutive attempts have a slight delay but it’s not been long enough for these attempts to fully time out so they’re trying again once the block is lifted and being re-blocked again. You can increase this value to hours or even days to try stemming this flow if you’re noticing a lot of activity.

Wordfence, as an endpoint firewall cannot stop a bot or human from trying to visit your website altogether, but rather deal with the visits appropriately when it happens – which is looked like Wordfence is doing.

Wordfence does all of the important blocking for you automatically so you don’t have to. It may be tempting to permanently block these attempts when you see them but it’s generally an ineffective strategy and takes up your time, so please consult the following links for more information:

https://www.wordfence.com/blog/2017/11/should-permantly-block-ips/
https://www.wordfence.com/help/blocking/#ip-address

Hopefully that helps you out.

Thanks,

Peter.

Thank you for your reply.

I have always had How long is an IP address blocked when it breaks a rule set for 1 Day – but the series of 30 failed login attempts I saw two days ago took place over the course of under 12 hours. All from the same IP as well. Something is clearly either not working or set incorrectly in WordFence.

Hi @hftobeason,

So that we can establish whether there is a bug or a different configuration issue, could you please provide us with screenshots of your IP blocking settings and the Live Traffic entries of the same IP being blocked before this expiry period has lapsed? You can set advanced filters to restrict a start date/end date/grouped by IP to prevent unwanted results in your data. You can send these to directly wftest @ wordfence . com or use a tool like Snipboard if you’d rather provide links.

Thanks,

Peter.

Hi @hftobeason, thanks for your email… I only just checked up on it when seeing tickets that hadn’t been responded to. Admittedly I normally disclaimer an email to be accompanied by a reply here, but wasn’t 100% if you’d paste Snipboard links to this topic instead so I apologise for the delay.

I have looked into the screenshots and it certainly seems like the ‘admin’ username should have been caught by the 1 day block time. Unfortunately the one thing the screenshots don’t show is whether the Brute Force Protection toggle switch is set to the ON position? – I see the Rate Limiting one is! If it is, and those blocking rules were all definitely in place when the attempts you show happened, please get back to me and I’ll look to replicate the issue you’re seeing.

Thanks again,

Peter.

Thank you for your reply – better late than never!

I have just now checked the Brute Force Protection toggle, and it is (and has been) ON. I’ve replied to your email with a screenshot of the settings. I for sure haven’t changed anything in WF since the string of failed attempts.

Please let me know what else I can do to troubleshoot.

Hi @hftobeason,

Thanks for the extra information. Where you’ve added the usernames to the option “Immediately block the IP of users who try to sign in as these usernames”, if an account already exists with that username then this option will not be executed for that username and an IP address that attempts to login with that username will not be immediately blocked.

I feel that this may be the situation in your case.

Thanks,

Peter.

Thank you again for your reply.

I am certain that no accounts exist for the UserNames I have added to be blocked.

In the specific case of “Admin”, see the UserName search screenshot I’ve sent via email. There is one user whose UserName *includes* “Admin” – would that be an issue?

Hi @hftobeason,

I believe the name would have to specifically match rather than just include one of the usernames you’ve chosen to block. I’ve had a word with our development team and often issues like this are caused by another plugin returning something other than the invalid_username response via WP’s authentication filters. In the immediately block feature, we only block the username if we can tell for sure that it’s considered invalid, to avoid possibly blocking valid users in a custom login flow in other plugins.

We’ve most often seen CAPTCHA plugins returning a custom error value, so if the user fails the captcha in that case, Wordfence wouldn’t be able to see that the username was definitely invalid. This may happen with other plugins with custom login pages or security-related features around logins too rather than be restricted to CAPTCHA.

It could be worth disabling all plugins except for Wordfence and attempting a login with one of your banned usernames to see if that could be the case.

Thanks again,

Peter.