What is the Security Settings to Use for Wordfence when website is under attack

Wow, that’s a bad attack. Am assuming by “attack” you mean the bots are using up all your bandwidth? I had a bad problem with that myself but have gotten it under control.

First step is to country block. Get Wordfence Premium, not only will it country block but it will use their latest firewall settings, which is important, as well as blocking from an IP blacklist that Wordfence works with — very important. Second step is install a login URL obfuscation plugin, WP Hide Login works ok, though it can be bypassed by determined hacker. Third step is determine if the attacks are from repeating IP numbers, if so manually block those IP numbers in your .htaccess. Fourth step is determine from your server error logs if you are being attacked on certain URLs, for example /website/register.php. Manually add those URLs to the “Immediately Block” list in Wordfence Options. Work on that list ’till you’ve got a few hundred URLs in there, and spend a few hours a week keeping the list updated. Lastly, adjust your settings so all your blocks last 48 hours or more.

And yes of course permanently disable xmlrpc, it is horrible.

Be sure to put your own IP into the “bypass all rules” dialog in Wordfence while you’re playing around. More, it’s worth having a VPN so you can do tests using a different IP number, for example try to attack your own website with a URL or IP you’ve blocked, so you can check how everything is working.

If the problem persists, work with your ISP to configure your server firewall. If your ISP does not provide a server firewall you can work with, run don’t walk to a real ISP instead of a scam.

You can also just buy more server bandwidth. In my opinion, it’s better to try and be lean on bandwidth and spend the money and time on defense, such as Wordfence Premium. if you just buy more bandwidth your simply paying to provide a playground for the criminals.

There are of course other things to do, for example use super strict settings in your brute force protection, and the standard hard passwords that are around 14 characters long, letters and numbers, which will prevent the brute force attacks from ever actually working.

After all that, fine tune your site’s front end bandwidth demands so when the bots do hit they have less of an impact. Gtmetrix.com is helpful for that.

Forgot to add: Be sure not to use Wordfence settings that eat bandwidth, for example turn off Live Traffic, and temporarily uncheck most of the scan options, and with Premium Wordfence run scan only during your lowest traffic times.

MTN

• This reply was modified 7 years, 7 months ago by mountainguy2.
• This reply was modified 7 years, 7 months ago by mountainguy2.

Hi MTN

Thanks for your speedy response and all the suggestions. That’s quite a lot of information for me to absorb I think I need to take some time to implement them ?? It’s the first time I am dealing with this kind of issue.

Is there any other things that I can do so that I can enable xmlrpc ? As disabling it is affecting my traffic by at least 50% .

Hi, sorry, I know nothing about xmlrpc except that it attracts criminals. I’m sure if you google it you can find all the ways to use it with reduced risk. Main thing, as you can see, running an actual functioning WordPress website, with actual legitimate traffic, is not child’s play, and getting worse all the time due to the rotting of plugins and increasing complexity of everything. Wordfence helps, but I wish WordPress would add a few basic native security features, especially login URL obfuscation. The Wordfence blog from a few days ago shows an enormous amount of attacks on the standard WordPress login URL. Those would gradually die out if the bots couldn’t find the login for most WordPress sites. MTN

• This reply was modified 7 years, 7 months ago by mountainguy2.

Hello,

May I ask please what error message does your website give you when it’s down?

I will direct you to our documentation for the recommended firewall settings. Please read them carefully to make your decisions on what to block. The firewall options can be changed on the relevant tabs on the “Firewall” page:

Rate Limiting Rules

Login Security Options

The XML-RPC API is automatically protected by the rules that you set in Wordfence “Login Security Options“.

mountainguy2 alluded to the premium version of Wordfence but we are forbidden to discuss premium features in this forum.

If you need any further assistance please feel free to ask.

Kuanju, I also should have mentioned, if you’re working to reduce an “attack” set everything to block, don’t use throttling. It’s very confusing how throttling works, suffice it to say that in my experience if you are seeking to reduce bandwidth it’s better to just block, set those blocks to 48 hours, then pay attention to what’s being reported in the Wordfence “Blocked” page. If you have some way of getting a sense of your site’s real human use, perhaps the average number of comments a day, or ecommerce activity, you can get an intuitive sense of whether your blocking strategies are working, or resulting in too many false positives.

What works super well for us is we make a customized “You are blocked” page, with clear information on how to contact us, in our case using Facebook messaging. That way our readers who are motivated, but blocked, have any easy way to get whitelisted. Sadly, Wordfence doesn’t have this as an option, it has to be done by the sweat of the brow, and every Wordfence update writes over the custom page. Hopefully that’ll change and Wordfence will have an option to use a customized block notification page.

BTW, We are a medium traffic niche website, fully monetized and our full time job. So what I’m suggesting is real-world, not theory. Though what works for us, or someone else, might not work for you. Experiment.

I’d again add that in my opinion shifting to Premium Wordfence is mandatory if you’re serious about all this. That’s of course all we can say here about the Premium version. For more information use the Wordfence.com website.

MTN

@mtn

Thank you very much mountain guy. It’s good to hear from someone who has experienced something similar and found a solution for it in a real-world setting. Your suggestions are very valuable. Thanks so much.

@phil

Hi Phil. Thanks for the reply.

I understand that XML-RPC API is automatically protected by the rules that you set in Wordfence “Login Security Options“, but it looks like with my current settings, the website is still being attacked. Below are my settings, am I not setting it right? :

Enforce strong passwords: Force admin to use strong password.
Lock out after how many login failures : 5
Lock out after how many forgot password attempt : 5
Count failures over what time period : 1 day
Amount of time a user is locked out : 60 Days
The remaining boxes for this section are checked.

——————————–

Please also see the error message below when the website is down:

“Warning: mysqli_real_connect(): (42000/1203): User alwaystr_wp1 already has more than ‘max_user_connections’ active connections in /home/alwaystr/public_html/wp-includes/wp-db.php on line 1424

Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in /home/alwaystr/public_html/wp-includes/wp-db.php on line 1454

Warning: mysql_connect(): User alwaystr_wp1 already has more than ‘max_user_connections’ active connections in /home/alwaystr/public_html/wp-includes/wp-db.php on line 1454

Error establishing a database connection
This either means that the username and password information in your wp-config.php file is incorrect or we can’t contact the database server at localhost. This could mean your host’s database server is down.

Are you sure you have the correct username and password?
Are you sure that you have typed the correct hostname?
Are you sure that the database server is running?
If you’re unsure what these terms mean you should probably contact your host. If you still need help you can always visit the WordPress Support Forums .”

Kuanju, not sure what you mean by being “attacked.” I thought you just meant you had too much traffic, due to bots, and your site couldn’t handle it. Your site will always be attacked, it’s a matter of figuring out ways to have the attackers use less bandwidth by blocking them early, before they actually “see” your website, and if that doesn’t work then you usually would need better hosting.

If by “attacked” you mean your site is breached by a hack, then that’s a different story and you would need to restore from backup or seek professional help.

MTN

@ Mountain Guy

Yes by attack I meant too much traffic from bots. My site is not hacked.
Thanks for your help ??

Hello,

Your settings for “Login Security Options” look fine to me.

With regards your database errors you need to relay these to your hosting provider to investigate and resolve for you.