Wordfence sends many emails for same IP address being blocked

  • KratosGemini

    (@kratosgemini)


    1 year, 3 months ago

    We have rate limiting for 404s turned on and have it set to block. Wordfence will send us an email when it blocks an IP address. When we get a string of 404s from an IP address and Wordfence starts blocking, it’s not uncommon for it to send something like 12 emails within less than 1 minute alerting us of it blocking it (all for the same IP address on the same website).

    Is that normal? I’d expect just one email alerting us of the block, not several in rapid succession. Or are we going to have to turn off the Wordfence block emails altogether to avoid issues?

    The problem we run into is our email sender (Amazon SES) sees that as suspicious and blocks sending to the destination address we use for Wordfence emails.

    Thanks for any insight.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    1 year, 3 months ago

    Hi @kratosgemini, thank-you for your question.

    If you don’t feel like you need to know about blocks immediately because you’ll manually review them in Live Traffic periodically but you have quite strict settings, you can simply disable Wordfence > All Options > Email Alert Preferences > Alert when an IP address is blocked. You can also make other changes there like changing severity level of the scan results you’re interested in.

    There is an option there to limit the amount of emails sent per hour, but note that will just provide a hard cut-off so you may miss other types of email if you’re receiving a high quantity of blocks.

    If disabling the emails altogether isn’t your aim, I would consider throttling instead of blocking and lengthening the amount of time an IP is unable to access the site. In your Rate Limiting settings, choose throttle from the second dropdown on each appropriate row. Throttling is generally better than blocking because any good search engine understands what has happened if it is mistakenly blocked and your site isn’t penalized because of it: My Rate Limiting settings.

    IPs will be blocked for the amount of time specified in “Amount of time a user is locked out” in the Brute Force settings or “How long is an IP address blocked when it breaks a rule” in the Rate Limiting settings depending on the rule that was broken. It’s fine to lengthen these to hours/days/month as you see fit.

    We generally recommend somewhere around 3-5 for login attempts and forgotten passwords in Wordfence > All Options > Brute Force Protection, counted over 4 hours, with a 30 minute lockout.

    I hope that helps you out!
    Peter.

    Thread Starter KratosGemini

    (@kratosgemini)

    1 year, 3 months ago

    Thank you for the detailed response, @wfpeter. I appreciate it.

    We choose to block rather than throttle 404s because an excessive amount of them almost certainly means a bot is scanning our site for files that don’t exist (usually looking for vulnerabilities) and therefore is malicious. Any normal crawler is not going to run into 404s consistently enough (if at all) to trigger the block.

    So that being said, one reason I started this is because I think there may be a bug in Wordfence. I don’t see the benefit in sending multiple emails repeatedly about the exact same block, especially while that block is in effect. But maybe I’m missing something.

    For now, I’ll disable those emails to avoid issues with our email sender.

    I do still have this question though: Is Wordfence intended to send a slew of duplicate emails whenever an IP address is blocked via the rate limiting?

    Thanks.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Wordfence sends many emails for same IP address being blocked’ is closed to new replies.