increased attack rate

Hello @lordsnake and thanks for reaching out to us!

An increased attack rate would happen for one primary reason – attackers are more active. Most likely, someone ran a script against your site to see if they could find a security hole. Since all of the requests were blocked, there is nothing you need to do.

You can also disable this email if you want since there is no action you need to take when attacks increase. It’s more of notification for people who may want to dig further. But that would be more out of curiosity than necessity. If you want to disable the option, it’s called “Alert me when there’s a large increase in attacks detected on my site” and you can find it by searching at the top of the Wordfence “All Options” page.

Unfortunately, large attack rates are an everyday occurrence on WordPress sites. That is of course precisely why we developed Wordfence!

If you have any other questions or concerns, just let me know!

Thanks again!

It seems you did not understand my question.

I have not asked what is an an increased attack, what is the point in the notifications, or how to disable it. I already know all of these things and I am also fully aware that attacks are an every day occurrence and for the purpose of Wordfence.

The question was “but why isn’t WordFence simply blocking the IP address? Why is it instead allowing the continued attack from the same IP’s”

I am not quite how you have managed to misunderstand/misinterpret that question so badly.

So to break this down.
Wordfence has the ability to block an IP address, this is one of its features.

So when it detects that an IP address is attacking the site, why is it not then blocking that I address, rather than allowing it to continue performing attacks and trying to block the attacks.
The attacking IP could easily perform many different types of attack or injections or target multiple vulnerabilities, and one of them could succeed.

If the IP of the attacker was blocked, then no further attack attempts from that IP are even going to get through.

Imagine you have detected a burglar trying to break into your house, as you received a notification form your motion detector.

Would it better to call the police and put a stop to his attempts altogether, or let him continue trying to break in and hope your locks and home security system continues to thwart him. If they don’t, then you get robbed.

Wordfence is blocking these requests as you can visit your Wordfence > Tools > Live Traffic page and filter by 188.40.240.200. You will see all of these with a 403 or 503 response code.

Wordfence only blocks for as long as you specify it to. Visit your Wordfence > All Options > Rate Limiting > How long is an IP address blocked when it breaks a rule. You may want to increase this number if it’s set too low.

Thanks again!

yes I know the requests are blocked, that is very clear by the fact it says “The Wordfence Web Application Firewall has blocked 131 attacks over the last 10 minutes”

I am not talking about the requests being blocked, I am talking about the IP being blocked, so the requests never get through to begin with.

So imagine you have a bouncer at a nightclub.
A troublemaker comes into the nightclub, the bouncer has to constantly stop him causing trouble.
But if the guy was banned from the nightclub, he would never even get through the door, so the bouncer would never have to deal with him and stop him from misbehaving.