Hi @pdjp , thanks for reporting this, you’ve found a real issue worth fixing.
What’s happening: The rate limit block is working correctly (the IP gets a 429 response), but the problem is that each subsequent request from an already-blocked IP is still being logged. So if a bot keeps hitting your site after being blocked (which bots do, they don’t care about 429 responses), every single request generates a new log entry.
Temporary workaround: You can reduce the noise right now by lowering the log retention in Security Audit settings (e.g., set retention to 7 days and max entries to 5,000). You can also clear the current logs from the Security Audit tab. This won’t stop the duplicate logging but will keep your database under control.
I’ve already identified the exact method that needs improvement: blocked IPs from rate limiting should only be logged once, not on every request. I’ll include this fix in the next update asap.
Thanks again for catching this, really appreciate the feedback!
Fernando
Hello again @pdjp
I’ve just updated the plugin to v1.12.2 that fixes the issue
Thank you again for the feedback 🙂
Thread Starter
pdjp
(@pdjp)
Thx, great work. 🙂
But another question about this audit log: i set up “events to log” to User/Plugin/Theme changes only and thought that recent activity would show only things from these categories (because it’s called “events to log”). But why are Firewall warnings in this list? And is there a way to see who is blocked at the moment?
Also a cumulative block duration could be interesting. Like bots being blocked for 5min. And the next time for 30min. And so on. I think Wordfence does it that way.
About the firewall events showing in the audit log, this is actually by design. Firewall blocks, security events and settings changes are always logged regardless of the “Events to Log” checkboxes, because they’re critical security data that shouldn’t be silenced accidentally. There’s a note below the checkboxes explaining this, but I agree it’s easy to miss. I’ll make it more prominent in the next update.
Regarding seeing who’s currently blocked, login lockouts already show blocked IPs in the Login Security tab, but there’s no equivalent view for firewall rate-limit blocks. I’m adding a “Currently Blocked IPs” section to the Firewall tab for v1.13.0, with the ability to manually unblock.
And yes, progressive blocking for the firewall rate limiter is a great suggestion. We already have incremental lockouts in Login Security, so extending that logic to the firewall makes total sense too 🙂
So, coming in 1.13.0: first block = configured duration, then it doubles each time (5 min → 10 min → 20 min → etc.) up to a configurable maximum.
Thanks again for taking the time, this kind of feedback makes the plugin better for everyone.
See recently updated v1.13.0 for your (great) ideas 😉
Thank you for the excellent rating!
