Lot of e-mail increased attack rate

  • Resolved nakotsu

    (@nakotsu)


    2 years, 10 months ago

    Hello, I receive a lot of e-mail with the subject [Wordfence Alert] https://www.website.com Increased Attack Rate (27 in 24h). It worries me, is anything i can do ? Thank you very much

    This email was sent from your website "website" by the Wordfence plugin at Tuesday 4th of January 2022 at 10:14:15 AM
The Wordfence administrative URL for this site is: https://www.website.com/wp-admin/admin.php?page=Wordfence
The Wordfence Web Application Firewall has blocked 126 attacks over the last 10 minutes. Below is a sample of these recent attacks:janvier 4, 2022 9:07   51.68.11.199 (France)     Blocked for LFI: Local File Inclusion in POST body: 0 = /home/user/www/wp-content/cache/min/3rd-party/www.googletagmanager.com-gtag-js
janvier 4, 2022 9:07   51.68.11.199 (France)     Blocked for LFI: Local File Inclusion in POST body: 0 = /home/user/www/wp-content/cache/min/3rd-party/www.googletagmanager.com-gtag-js
janvier 4, 2022 9:07   51.68.11.199 (France)     Blocked for LFI: Local File Inclusion in POST body: 0 = /home/user/www/wp-content/cache/min/3rd-party/www.googletagmanager.com-gtag-js
janvier 4, 2022 9:07   51.68.11.199 (France)     Blocked for LFI: Local File Inclusion in POST body: 0 = /home/user/www/wp-content/cache/min/3rd-party/www.googletagmanager.com-gtag-js
janvier 4, 2022 9:07   51.68.11.199 (France)     Blocked for LFI: Local File Inclusion in POST body: 0 = /home/user/www/wp-content/cache/min/3rd-party/www.googletagmanager.com-gtag-js
janvier 4, 2022 9:07   51.68.11.199 (France)     Blocked for LFI: Local File Inclusion in POST body: 0 = /home/user/www/wp-content/cache/min/3rd-party/www.googletagmanager.com-gtag-js
janvier 4, 2022 9:07   51.68.11.199 (France)     Blocked for LFI: Local File Inclusion in POST body: 0 = /home/user/www/wp-content/cache/min/3rd-party/www.googletagmanager.com-gtag-js
janvier 4, 2022 9:07   51.68.11.199 (France)     Blocked for LFI: Local File Inclusion in POST body: 0 = /home/user/www/wp-content/cache/min/3rd-party/www.googletagmanager.com-gtag-js
janvier 4, 2022 9:07   51.68.11.199 (France)     Blocked for LFI: Local File Inclusion in POST body: 0 = /home/user/www/wp-content/cache/min/3rd-party/www.googletagmanager.com-gtag-js
janvier 4, 2022 9:07   51.68.11.199 (France)     Blocked for LFI: Local File Inclusion in POST body: 0 = /home/user/www/wp-content/cache/min/3rd-party/www.googletagmanager.com-gtag-js
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfphil

    (@wfphil)

    Hi @nakotsu,

    To begin with, I would check the following settings:

    If you have the latest version of Wordfence installed then please open the “All Options” page and use the “EXPAND ALL” button to expand all sections.

    1) Setup email alerts in the “Email Alert Preferences” section to receive important notifications about your site security. If Wordfence finds any issues with your overall site security then you will receive an email alert.

    2) In the “Basic Firewall Options” section we recommend the firewall “Protection Level” is set to “Extended Protection” and the “Firewall Status” is set to “Enabled and Protecting”. If the “Protection Level” says “Basic WordPress Protection” then you will see a notification at the top of Wordfence admin pages asking you to optimize the firewall. Once the firewall has been optimized then the “Protection Level” will say “Extended Protection”.

    https://www.wordfence.com/help/firewall/optimizing-the-firewall/

    If the “Firewall Status” is set to “Learning Mode” it is important to understand that the firewall rules aren’t protecting your site so please read about “Learning Mode” here:

    https://www.wordfence.com/help/firewall/learning-mode/

    However, other Wordfence protection mechanisms such as the “Brute Force Protection” rules will still be active in “Learning Mode”.

    3) Make sure that Wordfence is correctly detecting visitor IP addresses. In the “General Wordfence Options” section, where it shows an IP address for “Your IP with this setting”, make sure this IP address matches your IP address using this link below (note that this detection is not 100% accurate on cellular phone network connections):

    https://whatismyipaddress.com/

    https://www.wordfence.com/help/dashboard/options/#get-ips

    4) Configure the “Brute Force Protection” rules as per our recommended settings here:

    https://www.wordfence.com/help/firewall/brute-force/

    5) Ensure that Wordfence scans are scheduled. Also set the “Standard Scan” option. Run a manual scan on the Scan page to make sure the scan completes.

    6) Setup two-factor authentication for your phone on the “Login Security” page.

    https://www.wordfence.com/help/tools/two-factor-authentication/

    Unfortunately, you have removed your actual domain name so I can’t see if the IP address is for your hosting server.

    It looks like the blocks might be for the WP Rocket plugin if you use that plugin. You can run the firewall in “Learning Mode” for a short while to try and catch all of the likely WP Rocket plugin requests.

    You can also add your server IP address to the Wordfence option “Allowlisted IP addresses that bypass all rules” if you have a virtual private server or a dedicated server. It is not recommended to do this on a shared server otherwise any hacked sites on the server can attack your site and bypass all Wordfence protection.

    Thread Starter nakotsu

    (@nakotsu)

    Hello @wfphil, thank you very much for your quick reply.

    Unfortunately, the site owner don’t want that his domain appears on forum…
    all my firewall options are set to 100%. same for scan page.
    I also already setup a two factor authentication.
    The IP Adress match between “your IP with this setting” and the link you give me.
    But it doesn’t match with the ip 51.68.11.199 that i have in my email, is that normal ?
    Indeed, i use the plugin wp rocket, so i will try the learning mode after read some subjects about it.
    Thank you very much!

    PS; sorry for my english i hope it will be understandable

    Plugin Support wfphil

    (@wfphil)

    Hi @nakotsu

    Thank you for the update.

    The IP address 51.68.11.199 should be your hosting server IP address. You can find it on the line Connecting back to this site in the Connectivity section on the Wordfence Tools >> Diagnostics page.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Lot of e-mail increased attack rate’ is closed to new replies.