Large number of attacks from the same IP

  • Resolved sierrasixmedia

    (@jadebartholomew)


    2 years, 10 months ago

    I have concerns that Wordfence is not blocking attacks fast enough.

    Multiple times now I’ve had an IP address make over 100 attempts to access banned URL’s before Wordfence blocks the IP or sometimes I have to manually block the IP because Wordfence hasn’t.

    See here:

    View post on imgur.com

    View post on imgur.com

    This doesn’t seem right to me. I have a list of over 100 banned URL’s and Wordfence is supposed to block users who attempt them IMMEDIATELY not wait for them to try 100 times before doing anything about it.

    Is there a setting I’m missing?
    I’ve just added rate-limiting settings – will this help?

    I also would like to know what a ‘normal’ amount of attacks on a website is?
    It seems our site is being constantly attacked and we’re unsure if this is normal and we’re now just more aware of it after using Wordfence or if we have a weakness in our website?

Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @jadebartholomew, thanks for getting in touch.

    This can be frustrating, seeing many access attempts to your site such as this, especially if there seems to be no logical reason, but this is actually quite a normal occurrence. You might find the following blog post interesting: https://www.wordfence.com/blog/2018/03/ask-wordfence-why-is-an-insignificant-site-like-mine-being-attacked/

    Wordfence, as an endpoint firewall cannot stop a bot or human from trying to visit and/or register on your website altogether, but rather deal with the visits appropriately based on your settings when they happen. If you’re noticing many of these are spam registration attempts, having reCAPTCHA enabled should dramatically reduce amount of form submissions to your registration pages.

    Some of the WAF rule blocks, as they aren’t assigned a block expiration time, never appear on the Firewall > Blocking page for you to review.

    If Wordfence > All Options > Brute Force > Amount of time a user is locked out and Wordfence > All Options > Rate Limiting > How long is an IP address blocked when it breaks a rule? are set to low timescales such as minutes or hours, you may never see them on any blocked list either as they’ve already been removed when you check. You can try increasing these to days or months if you prefer but we generally recommend around 30 minutes to prevent issues for legitimate site visitors who’ve found themselves blocked by mistake. You’ve mentioned enabling Rate Limiting but also make sure Brute Force and Rate Limiting toggles are set to ON for these rules to work.

    I generally set my Rate Limiting Rules to these values to start with:
    Rate Limiting Screenshot

    • If anyone’s requests exceed – 240 per minute
    • If a crawler’s page views exceed – 120 per minute
    • If a crawler’s pages not found (404s) exceed – 60 per minute
    • If a human’s page views exceed – 120 per minute
    • If a human’s pages not found (404s) exceed – 60 per minute
    • How long is an IP address blocked when it breaks a rule – 30 minutes

    With Brute Force, I recommend trying 3-5 for attempts and password resets, counted over 4 hours, with a 30 minute (or longer) lockout time period.

    I also always set the rule to Throttle instead of Block. Throttling is generally better than blocking because any good search engine understands what happened if it is mistakenly blocked and your site isn’t penalized because of it. Make sure and set your Rate Limiting Rules realistically and set the value for how long an IP is blocked to 30 minutes or so.

    Remember there is no hard and fast, one size fits all set of rules for every site. This is just a good place to start. During an attack you may want to make those rules stricter. If you see visitors, like search engine crawlers getting blocked too often, you might want to loosen them up a little.

    Our general advice is that Wordfence does all of the important blocking for you automatically so you don’t have to, so it’s perfectly fine to try out some longer block times but you shouldn’t need to start manually blocking IPs.

    Thanks,

    Peter.

Viewing 1 replies (of 1 total)
  • The topic ‘Large number of attacks from the same IP’ is closed to new replies.