WordPress.org

Ready to get started?Download WordPress

Forums

Wordfence Security
[resolved] Feature request: hostname blocking (4 posts)

  1. mengsel
    Member
    Posted 4 months ago #

    I see a lot of failed login attempts by, what I assume are botnets, trying to break in with a non-existent 'admin' username. Through the noise of all the failed (and locked out) attempts, I often can discern certain groups of hostnames that seem to be hijacked en masse. For example, we've seen a load of malicious traffic pumped through vpn999.com's network, which made it easy for us to slice away a large chunk of interference by blocking their entire network from accessing the site.

    Unfortunately, WordFence does not allow blocking based on hostname. I'd like to request that feature in a future version. That way I don't have to work with multiple blocking plugins. Right now, I'm using 'WP-Ban' on the side for hostname-based blocking, but I'd like to decrease plugin clutter and this seems like a realistic reason.

    If I am so lucky to discover this new feature in a next WF update, many thanks in advance =)

    https://wordpress.org/plugins/wordfence/

  2. Wordfence
    Member
    Plugin Author

    Posted 4 months ago #

    Please visit the following file in the source code of WP-Ban:

    https://plugins.trac.wordpress.org/browser/wp-ban/trunk/wp-ban.php

    Scroll down to line 181.

    See where it calls gethostbyaddr()

    That does a DNS lookup on EVERY visit to your site if the IP has not already been banned. It will slow your site down to a crawl and you won't see an increase in CPU disk or memory usage and you'll wonder why.

    That is why we don't block by hostname.

    Instead we offer blocking by IP range and give you a way to look up the IP range of a particular hosting provider using the WHOIS function built into Wordfence and the integration lets you do this with a few clicks.

    To find out more about how gethostbyaddr() slows down your site see the PHP documentation here:

    http://www.php.net/manual/en/function.gethostbyaddr.php (do a search for the word 'slow' without quotes)

    And here's a google search:

    https://www.google.com/search?q=gethostbyaddr+slow

    Now do me a favor and go out and spread the word that gethostbyaddr() is VERY BADâ„¢ and anyone using it on a production website should be tarred, feathered and woken up at 4am to the sound of The Scorpions "Rock you like a hurricane" blaring through cheap headphones.

    Regards,

    Mark.

  3. mengsel
    Member
    Posted 4 months ago #

    Hi Mark,

    Thanks for the advice. Good to know, I wasn't aware of the toll it took on the server. I've figured out the feature to block IP ranges based on WHOIS searches on single IP's. Great feature, I've moved all the blocked hostnames out of WP Ban into WordFence blocking by IP range. Works fine!

    I have also purchased tar, feathers and cheap headphones, ready for the shitstorm to come. That being said, perhaps it might be a good idea to more prominently feature this functionality -- or maybe even streamline the process in WordFence to make it more accessible for less knowledgable users.

    But again, thanks a lot for the advice!

  4. mengsel
    Member
    Posted 4 months ago #

    On a related note, please advise... How do I deal with large or very diverse IP ranges that fall under the same hostname?

    For example, I've found a network through your IP WHOIS search that falls under GoDaddy's webhosting services, of which a small part appears to present itself under a hostname called 'secureserver.net'. Another network with a completely different IP identifies with the same hostname. IP addresses in both ranges have been blocked for malicious activity.

    How do I make sure no other attacks can originate from secureserver.net?

    __

    On an unrelated note -- is there a way to customize the 'blocked'-message in WordFence?

Reply

You must log in to post.

About this Plugin

About this Topic