Whitelist localhost IP address

Hi @madcomm,

Thanks for reaching out to us.? Once you’re using LiteSpeed Cache, instead of allowlisting localhost, I recommend you keep an eye on Wordfence > Tools > Live Traffic to ensure that no legitimate requests from LiteSpeed Cache are being blocked.? LiteSpeed Cache shouldn’t require that the localhost IP be allowlisted in Wordfence’s WAF.

I also recommend double-checking your IP detection to ensure any IP addresses listed in Live Traffic are accurate.  You can double-check the settings at Wordfence > All Options > General Wordfence Options > How does Wordfence get IPs.  Reference the area under that section that says Detected IPs and Your IP with this setting. See if any of the options there, when picked, accurately reflect your IP (you can find your IP by visiting https://www.whatsmyip.org).  If one does, don’t forget to hit the SAVE CHANGES button in the top-right after you’re done.

Thanks,
Margaret

Thank you for your reply!

My IP address is detected and listed in Live Traffic and it lists in the How does Wordfence get IPs section.

1. In Live Traffic there are messages that display the following:
   An unknown location at IP 127.0.0.1 was blocked by firewall for Known malicious User-Agents at https://domainname.org/chosen.php?p=
   5/16/2024 12:53:01 PM (27 minutes ago)
   IP: 127.0.0.1 Hostname: localhost
   Human/Bot: Bot
   Do you recommend that I click ADD PARAM TO FIREWALL ALLOWLIST?
2. In the How does Wordfence get IPs section there’s a message to that lists my ID detected and an option to Edit trusted proxies.
   Or do you recommend that I add my IP address to Whitelist it within Wordfence?

Again, thank you for you assistance to make this work given that the issue is with the security plugin Wordfence.

Hi @madcomm,

Thanks for following up.? Unless chosen.php is a file you expect to be accessed on your server, I don’t believe the Live Traffic entry you’ve posted is a legitimate request and I’d advise against adding it to the firewall allowlist. I would also advise against allowlisting your own IP unless you’re on a static IP address.

We’ve seen a few cases recently where customers haven’t changed their Wordfence settings but are seeing blocks on 127.0.0.1 in the Live Traffic entries. Not all customers are seeing connections from this IP, so we’re looking into the possibility of server configuration, hosts, plugins or server software/firewalls recently being updated or having their settings changed.

It would assist us to see access logs and diganostics from around the time some more of these 127.0.0.1 entries are seen. You can send any access log exports and a downloaded diagnostic TXT from Wordfence > Tools > Diagnostics to wftest @ wordfence . com. Just make sure to put your forum username in the subject line and let us know here when you’ve sent them so we can take a look.

Thanks,
Margaret

Hi @madcomm,

Almost all of the hits from 127.0.0.1 in other logs we’ve seen appear to be probing, except for some generic hits like hitting the homepage, which may also be bots. We don’t think they’re all the same source, as there are different User-Agents involved.

As the web server log shows the correct IP address for normal hits and shows 127.0.0.1 for hits that appear malicious, we would recommend asking your host why the site seems to be getting these requests that appear to be malicious from 127.0.0.1. You can ask them to view your site’s access log as evidence to look at. The host might have more logging that will help find the issue, but they might not. To us, it looks like it could be an attacker on the same server, but when there are different User-Agents, it could still be a misconfiguration.

Let us know if you find out any more from them,
Margaret

Thank you. I’ll try the above.

Hi @madcomm,

I’ll keep this topic open. I will see your response here if you get anything from them. Let us know what you find out!

Thanks,
Margaret

Hi @madcomm,

As it’s been several weeks and we haven’t heard back, I’m going to mark this topic resolved. Please open a new topic if your host follows up with more information or if you need additional assistance!

Thanks,
Margaret