• Resolved solventweb

    (@solventweb)


    Hi there. Thanks for a great plugin!

    Today one of my client sites was the target of an attack that seemed to be almost exclusively focused on SQL injection. I was alerted to this by your plugin sending me ~100 “Increased Attack Rate” emails.

    I was surprised to see that the IP addresses of the attacker were often repeats. I have All Options > Rate Limiting > How long is an IP address blocked when it breaks a rule set to 12 hours. But the attacking IPs never appeared as blocked under Firewall > Blocking. Am I misunderstanding something?

    FYI this attack was causing very high server load. I had use .htaccess to manually block the offending IP ranges in order for the site to useable. I’d rather this kind of blocking be automated if possible.

    Any help you can provide is appreciated.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support wfscott

    (@wfscott)

    Hello, @solventweb

    Blocks made for the rules in the Rules subsection (in Wordfence > Firewall > All Firewall Options > Advanced Firewall Options) do not have a block time and are unaffected by How long is an IP address blocked when it breaks a rule in the Rate Limiting section. Wordfence blocks the request each time it sees a malicious request that breaks a rule. We generally do not recommend long-term blocking and the firewall will block malicious requests as they are seen as malicious, and once they are not, the hits from the IP will be allowed on the site. IPs can change frequently and an IP that is sending malicious attempts today, may not shortly after.

    If there are IPs that are hitting the site frequently, you can consider blocking them via Wordfence > Firewall > Blocking, however, it is not typically necessary. https://www.wordfence.com/help/blocking/#ip-address

    Thanks,
    Scott

    Thread Starter solventweb

    (@solventweb)

    Hi @wfscott ,

    Thanks for your response! I understand that IPs change frequently so I’m not looking for a permanent block. However, if an IP address makes several malicious requests within a short period, I would like to automatically apply a temporary block (similar to your brute force protection).

    Frankly, I’m surprised to learn your plugin doesn’t work that way by default. Is there any way that your free plugin can be configured to accomplish that? Is this a feature of your premium plugin?

    FYI in the case of this particular attack, the VPS was completely bogged down with malicious requests. Going forward, I’d prefer not have to manually block offending IPs just to keep a site available.

    Again, any help or advice is appreciated!

    Plugin Support wfscott

    (@wfscott)

    Thanks for getting back, @solventweb

    We cannot discuss Premium features here unfortunately, so feel free to reach out via presales at wordfence dot com if you’d like to discuss those. You can reference this post here and we’ll be happy to help.

    The best option would be Rate Limiting via the free plugin which it sounds like you may have set up already. We have a guide here with our recommendations: https://www.wordfence.com/help/firewall/rate-limiting/

    If any IPs hit the site more than what you have set there, they will be blocked for the time set in Rate Limiting (if you have the option set to Block rather than Throttle).

    As far as the firewall blocking malicious hits, blocking IPs for a long period each time there is a potentially malicious request could result in false-positive blocking and blocking legitimate site users. Blocking the hits as they come in and as they are determined to be malicious hits is the method we use currently. If the site is being overloaded in general, such as a DDoS-style attack, you may need to consider a service that has features more directly related to that sort of attack.

    If you see certain IPs hitting the site, you can check those in Live Traffic (Wordfence > Tools > Live Traffic > Show Advanced Filters > Filter Traffic.. > IP = enter the IP in the field and click enter) and then use the Block IP button for the entry you see that you want to block. That option will block the IP for the amount of time you have set in the Rate Limiting area for when an IP breaks a rule.

    Thanks,
    Scott

    Thread Starter solventweb

    (@solventweb)

    Thanks @wfscott. I’ll reach out at the email address you suggested.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.