Wordfence Blocking and WFHits Table

  • Resolved dastafford

    (@dastafford)


    1 year, 3 months ago

    I have an unusual situation and wondered if someone from Wordfence could explain it for me.

    In the “Blocking” screen, I have an entry which shows that an IP Block was set up for a particular IP address.

    Block Type  : IP Block
Detail      : [ip address in question ... see below]
Rule Added  : August 12, 2023 12:42 am
Reason      : Accessed a banned URL
Expiration  : September 11, 2023 12:42 am
Block Count : 28
Last Attempt: August 15, 2023 9:53 am

    There are three things interesting about this entry.

    1. The IP address reported is the web server’s own address;
    2. When I check the wfhits table for records relating to that IP address, there are 7 records when I would expect 28 based on the above data;
    3. When I look at the URL that is recorded in the table, it says that it’s
      https://www.mydomain.com/

    The data shown in the wfhits table is 

    id                 : 1075
attackLogTime      : 1691774848.813782
ctime              : 1691774848.767900
IP                 : BLOB
jsRun              : 0
statusCode         : 503
isGoogle           : 0
userID             : 0
newVisit           : 0
URL                : https://www.mydomain.com/
referer            : NULL
UA                 : WordPress/6.3; https://www.mydomain.com
action             : blocked:wordfence
actionDescription  : Accessed a banned URL
actionData         : {\"learningMode\":0,\"failedRules\":\"\",\"paramKey\":\"\",\"paramValue\":\"\",\"path\":\"Lw==\"}

    Some of the things I don’t understand are”

    1. What it is that is trying to access the web site from within the server? Is it Wordfence that’s doing this? Is it WordPress itself? Is it Google’s Site Kit? None of the other plugins installed are likely candidates, as far as I can tell.

    2. Why would this have generated an IP Block? If it’s a 503 error, that’s “Service Unavailable”

    3. Why would the reason for that block be “Accessed a banned URL”?

    4. Where are the other 21 entries for this IP address?

    5. Of the 1169 rows in the wfhits table, 622 of them have status 503, which seems high. What causes WF to record an access attempt in the wfhits table?

    Thanks in advance.

Viewing 1 replies (of 1 total)
  • Plugin Support wfscott

    (@wfscott)

    Hello, @dastafford

    Thanks for your patience.

    This block type, “Accessed a banned URL”, is due to a URL being hit that was entered into Wordfence > All Options > Firewall Options > Advanced Firewall Options > Immediately block IPs that access these URLs. I typically recommend using that sparingly, and only with URLs you are sure valid visitors or your server IP will not hit. To answer your second question, when a URL entered in that option is hit, it generates a 503 block.

    As for what it is that is trying to access the website from within the server, or whether it was Wordfence, another plugin, etc — it could be a number of different things (including other plugins) that originally got blocked if one of the entries entered into the Immediately block IPs that access these URLs option matched one of those hits. If the wfhits data has expired, it’s probably best to unblock the IP and check Live Traffic/wfhits if it gets blocked again to see what URL is causing the block. Alternately, if you have access logs, you can find hits around the time of the block record on August 12, 2023 12:42 am to see the URL that was first hit.

    The difference you’re seeing between the 7 hits in Live Traffic and 28 on the block record could be due to the Amount of Live Traffic data to store?or Maximum days to keep Live Traffic data?(Wordfence > Tools > Live Traffic > Live Traffic Options) potentially being set lower than the defaults of 2000 records and 30 days, which would mean the older hits were removed from the wfhits table.

    For your last question regarding the wfhits table and what is stored there, the wfhits table stores the hits that are shown in Live Traffic. By default with the “Security Only” setting enabled in Live Traffic, wfhits will be mostly 503s, 403s, and successful or failed login/logout activity. If the setting is set to “All Traffic”, it will include other non-malicious hits as well. 503s can be all kinds of blocks by the plugin’s original features (including manual blocks and brute force protection), while 403s are generally the WAF rules (or IP blocklist).

    Thanks,
    Scott

Viewing 1 replies (of 1 total)
  • The topic ‘Wordfence Blocking and WFHits Table’ is closed to new replies.