In the Wordfence options, you should see a drop-down list for choosing how Wordfence determines IPs. If you use Cloudflare, there is an option for that specifically.
There are more details about the options here:
http://docs.wordfence.com/en/Wordfence_options#How_does_Wordfence_get_IPs
If you’re not sure which one to use, your hosting company should be able to tell you if you are behind a reverse proxy, and what kind it is. (If they can’t tell you which headers it uses like “X-Forwarded-For”, the name of the proxy might help someone on this forum tell you which option should be match.)
mwrusnak is correct
Make sure and use Cloudflare’s plugin as well if you use their service.
tim
Hi There,
Sorry to hijack the post, however I am facing the exact same problem except for the fact that I do not use Cloudflare for our website. Someone is attempting to login to our website with the username “admin” more than 10 times in 60 secs and every day we are locked out and have to reset options to get in. We run a high traffic ecommerce website called Imperial Swords http://www.imperialswords.com
All the attempts are from our website server IP Address. I am confused as to how we can address this issue. any help on this would be really appreciated ASAP.
Thanks in advance. Jeasy
The link “How does wordfence get IPs” (above) might still help. Are you running any other type of reverse proxy, such as Varnish?
I’m also not using Cloudflare, but will be getting in touch with my website hosting company to find out about the reverse proxy and then will try to adjust the WordFence settings as suggested by jeasysehgal. Would you recommend using Cloudflare to fix this issue?
Hi again, I have contacted my hosting company and am now waiting to hear back from them.
Mwrusnak, I just saw you wrote about using Varnish. My site is using this as a way of caching to speed up the site with it’s WordPress hosting package on Bluehost. Can you give me any advice to what settings I should use in the WordFence Options that would best suit Varnish?
@rosie_pb: I think the typical header for the actual client’s IP through Varnish is “X-Forwarded-For” (which you can select in the “How does Wordfence get IPs” option), but I don’t know for certain that Bluehost sets it up that way.
I would try that option, and then check the Live Traffic view to be sure it is working — even if you turned off live traffic, you should see recent logins, so if you log out and log back in, you should see your own IP. (If you’re not sure what your PC’s IP is, google “ip address”, and google should show an address in a box labeled “Your public IP address”.)
I haven’t used Cloudflare myself yet — I have heard good things about it, but in this case, it might make this issue more complicated if you’re already using Varnish.
Perfect. I just tried the X-Forwarded-For setting, logged in and out and my IP address was recorded in the Live Traffic.
I will keep an eye on this over the next few days but thank you for your help. It looks like we may have figured it out!
My website was hacked and now it’s all clean, cleared, all ok. My question is? Since or because it was hacked is there a black list ? I keep receiving emails from Wordfence stating that someone is trying to log in.
http://www.sunfunbvi.com
note:
The IP address has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username!
It keep happens in a daily basis and some days more than often. How can we can fix this, thank you for your advise.
In another note, because of the hacking, is that why Google is not crawling the website?
That’s probably not why google isn’t crawling the site. Normally, in google webmaster tools they give you a good indication of what is wrong.
Most of the time, attempts to login to your site are not attacks on you personally. Hackers write scripts that go out and try to login to sites, looking for the ones with default usernames or easy passwords, trying to get in. These scripts don’t sleep so it is a constant bother. If you head over to Wordfence.com and scroll down the page you’ll see an interactive mapthat shows the current attempts to login to sites in real time, like the image below. Currently there are 11,455 attacks happening every minute.
While it can be scary, I use it as a reminder to check my users’ passwords, see if I need to update anything like plugins or themes, and check my last scan and run a manual one if needed.
Make sure and check your login security options too. Are you giving hackers too many tries to guess a password? Are you locking them out for long enough when they exceed the number of tries? You might consider increasing the lockout period to one day, just for the duration of the current situation. Here’s what I use as my default setup.
http://postimg.org/image/idt8ska5f/
If you have any other questions, feel free to ask. We’re happy to help.
tim
