Legit Website Followers blocked (IP 255.255.255.255)

There might be something your host has changed that is changing how Wordfence sees visitors’ IP addresses. If you are using a reverse proxy (or if you’re not sure if you are or not), can you check the setting “How does Wordfence get IPs” on the Wordfence Options page?

I don’t remember if your version of Wordfence has it, but also on the options page, look for a link that says “Click to view your system’s configuration in a new window” near the bottom of the options. Click it, and scroll to the bottom of that (very long) page, and look for these two items in the last table:
_SERVER[“HTTP_X_FORWARDED_FOR”]
_SERVER[“HTTP_X_REAL_IP”]

If those appear, and have IP addresses other than 255.255.255.255, that will determine which option to set above.

Even if this fixes it, I still recommend getting WordPress and Wordfence updated to the latest versions as soon as you can, even if you need to find a developer to help. Eventually something on the site will stop working, and the site may not be safe from many attacks.

Thanks for the reply.

Under “How does Wordfence get IP’s” it says:

“Let Wordfence use the most secure method to get visitor IP addresses. Prevents spoofing and works with most sites.”

“If those appear, and have IP addresses other than 255.255.255.255, that will determine which option to set above.”

They do have different IPs. Not the 255 one.

So what do I do, I’m constantly being hammered with login requests from someone on this 255.255.255.255 address. I’m sure I get 50 failed login attempt emails from this person every day. I can’t ban the IP as other people end up getting affected.

When I look under live traffic I see lots of other IP addresses.

Ok, in your Wordfence Options, for “How does Wordfence get IPs”, you’ll need to choose one of these options:

If you use CloudFlare, choose the last option, which says “CF-Connecting-IP”

If you don’t use CloudFlare, choose the one that says “X-Real-IP”.

Then check your Live Traffic, and see if visits have the correct IP. The fastest way to check is to visit from another browser where you’re not logged into WordPress — that visit should have your IP address. (If you’re not sure what your public IP is, you can google “my ip” to verify it.)

I do use Cloudflare. I tried both and refreshed the live traffic each time. Same thing, most IP’s show but still some 255’s.

See screenshots:

CF-Connecting: https://www.dropbox.com/s/dyd5lvdeu1pxa63/Screenshot%202015-07-29%2008.12.57.png?dl=0

X-Real-Ip: https://www.dropbox.com/s/og4cuh8472735kt/Screenshot%202015-07-29%2008.16.07.png?dl=0

Here’s the login attempts: https://www.dropbox.com/s/rinc6cs9k9vlp0h/Screenshot%202015-07-29%2009.41.41.png?dl=0

Ok, it sounds like the only solution is to update WordPress and Wordfence. The dev team mentioned that this could be caused by traffic from IPv6 addresses, which were not supported by the old version of Wordfence that you are using.

WordPress 3.6.1 also has known vulnerabilities, so it really is critical to update — even if you need to pay a developer/designer to fix the site layout and such, it will probably not cost as much as trying to recover after the site is compromised.

Upgrading WordPress is not an option at this time.

Is there any version of Wordfence above what I have that you think may work with 3.6.1 or is guaranteed to not work?

I’m sorry, but updating is really the only safe option. A newer version of Wordfence might seem to work, but still cannot protect an old version of WordPress correctly.

I appreciate the information. Just to let you know I did fix the problem.

Here’s what I did. As you suggested I kept: “CF-Connecting” then on Cloudflare I enabled “Pseudo IPv4” and selected “Overwrite headers”.

That says it adds an IPv4 header to requests when a client is using IPv6, but the server only supports IPv4.

So now I see everyone with a unique address. Am I safe to ban these offending IP addresses now? Just want to ask since I’m not really super familiar with this IPv4, IPv6, Pseudo IPv4 stuff.

I’m not familiar with CloudFlare’s pseudo-IPv4. Since there are many more possible IPv6 addresses, they can’t make a unique IPv4 address for every possible visitor, so you might still have other real visitors blocked by blocking certain IP addresses. Remember that even if you can ban them, there are other security risks from running old software — I hope you can get everything updated soon!