Throttling besting blocking

Hi djason,
Sorry for my late reply, it’s the same IP right? I think whoever behind this IP address keeps searching your website for any vulnerabilities he could target for his attack, during his search process he exceeded the rate limiting rule “If a human’s pages not found (404s) exceed” in (Wordfence > Options => Rate Limiting Rules) and that’s why it gets throttled.

If any of his attempts matched any of the firewall rules -for example “TimThumb <= 1.33 – Remote File Download”- he will get blocked immediately, I don’t see any conflict between these two options, please let me know if I’m missing something.

Thanks.

Let me clarify. I haven’t looked at this since the original post so I am going on memory here. We are using the Falcon engine so when an IP is blocked, the block is set in the htaccess. When the person breaks a firewall rule, WF states it’s blocking the IP. If the firewall rule is broken *after* they are being throttled, there is no block in the htaccess. If a firewall rule is broken *before* they are throttled, the block *does* show in the htaccess file. If you need logs or screenshots or something for me to show this, I can, but it may take awhile, esp. since I would need find an occurence of this.

I want to clarify that if this user breaks any rule of the Firewall rules defined in (Wordfence > Firewall), only his attempt/hit will be blocked not his IP, but if he breaks any of the options in “Rate Limiting Rules” for example, his IP will be blocked for the amount set in “How long is an IP address blocked when it breaks a rule“.

I think the confusion comes from this part, let me know if you have any further question,
Thanks.

So this is partially moot since Falcon is being discontinued, which I just found out about today. This is very disappointing. I spent countless hours researching caching and now I will need to do it over again. However, we won’t be upgrading anytime soon because of the effort so I still need to understand and what’s going on. And it might apply in the future.

That answers part of my question, but the other part still seems to conflict with the documentation:
https://docs.wordfence.com/en/Falcon_Cache#Falcon_Engine

“With Falcon enabled we block IP’s in your .htaccess”

However, as I understand it, if something is blocked in the htaccess, then the request will never even make it Wordfence, so it wouldn’t be able to log the attack. Or do only *manual* blocks go in the htaccess? Thanks, we’re close!

If any IP blocked for any reason it will be blocked in .htaccess file if you have Falcon Cache enabled, this includes for example:
– IPs blocked in (Wordfence > Blocked IPs)
– IPs blocked in (Wordfence > Options > Immediately block IPs that access these URLs)

As mentioned earlier, any attempt breaks any of the Firewall rules will be blocked immediately, but not the IP itself and this will not be shown in .htaccess file.

Thanks.

• This reply was modified 8 years ago by wfalaa.

Ok, I understand. Thanks for your patience. The confusion arrives from Wordfence’s two different uses of “block”. The rate limiting rule’s “block” is handled differently (not htaccess).