Wordfence Blocking Valid Users (False Positives)

  • Resolved Hannah

    (@hdev28272671)


    3 years, 7 months ago

    Hello, Wordfence blocked a valid user trying to login on his first try. They were trying to login to make a purchase and donation. This is a false positive block.

    We have no idea why Wordfence blocked this user. I cannot get the Live Traffic feed to filter by date for some reason, and there are hundreds of entries in the Live Traffic feed, so having a hard time getting more information about exactly why this user was blocked.

    We are having the exact same issue as described in the first part of Wordfence blocking visitors doing nothing wrong! – a 503 server status code given to the blocked user.

    WordPress: 5.7.1
    WordFence: 7.5.2

    Brute force rules are set to 10 requests / 5 mins, but the visitor only tried to login once and got insta-blocked.

    Please me know which follow-up information that you would like to see, and I will post it in the replies.

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support WFAdam

    (@wfadam)

    Hello @hdev28272671 and thanks for reaching out to us!

    This was a new user or an existing user on the site? Do they have 2FA enabled?

    The Live Traffic would be perfect to figure out what happened. If your site receives a lot of traffic though, the default Live Traffic settings might not be large enough to hold many days of traffic.

    It would be best to ask the user for their IP address to search in your Live Traffic, if you could have them try to log in again, this will give you an up-to-date traffic log. Once you see the block in Live Traffic, click on it to expand it, then screenshot it for me to review. Make sure to block out any sensitive data like IP address.

    Thanks again!

    Thread Starter Hannah

    (@hdev28272671)

    Hi @wfadam! Thanks for responding.

    This was a new user or an existing user on the site?

    It was a new user.

    Do they have 2FA enabled?

    No, new user.

    … ask the user for their IP address to search in your Live Traffic

    I found their IP address by looking at the failed logins list. I copied and pasted the IP address to the Live Traffic advanced filter; however, no entries were returned: “No requests to report yet.”. I did make sure that there were no trailing spaces.

    https://postimg.cc/KKsJWV5F

    Does this maybe sound like a pwned email + password?

    What can we try next?

    • This reply was modified 3 years, 7 months ago by Hannah. Reason: add @
    Plugin Support WFAdam

    (@wfadam)

    It is strange that the user is being dealt a 503 response code when you’re not seeing the hits in your Live Traffic. Wordfence would log everything in the Live Traffic, especially if it’s handing out a block response code.

    This makes me think that maybe something is cached on the user’s end. Are they the only user experiencing this issue?

    Have them try from a different browser as a test.

    Thanks again!

    Thread Starter Hannah

    (@hdev28272671)

    Thanks Adam. This is the first time that this has happened. FYI, they were using Internet Explorer as their browser.

    Plugin Support WFAdam

    (@wfadam)

    Did that resolve the issue?

    Thanks again!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Wordfence Blocking Valid Users (False Positives)’ is closed to new replies.