Support » Plugin: Wordfence Security - Firewall & Malware Scan » Am I Being Hack? Feel like being hacked…

  • Hey guy,

    I am very headache for the past few days, I realise my site resources being suck out from this IP: 181.224.158.20, average 1.6GB-1.8GB bandwidth daily from this IP. My own IP access to my site is 222.164.227.90 (dynamic ip), but the wordfence live traffic told me that the Login Attempts is 181.224.158.20 instead of 222.164.227.90.

    Below log while I am still in sleeping:
    Panama Panama visited http://www.xxx.com/wp-login.php?redirect_to=http%3A%2F%xxx.com%2Fwp-admin%2Fadmin.php%3Fpage%3Dw3tc_extensions&reauth…
    03/05/2017 06:31:43 (54 minutes ago) IP: 181.224.158.20 [block] Hostname: ip-181-224-158-20.siteground.com
    Browser: Firefox version 43.0 running on Win7
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
    =========
    Panama Panama arrived from http://www.baidu.com/s?wd=www and visited http://www.xxx.com/wp-login.php?action=logout&_wpnonce=030a249598
    03/05/2017 06:30:49 (57 minutes ago) IP: 181.224.158.20 [block] Hostname: ip-181-224-158-20.siteground.com
    Browser: Firefox version 43.0 running on Win7
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
    =========
    This log is I have logged into my site:
    Panama Panama left http://www.xxx.com/wp-login.php?redirect_to=http%3A%2F%2xxx.com%2Fwp-admin%2F&reauth=1 and logged in successfully as “adam”. http://www.xxx.com/wp-login.php
    03/05/2017 07:14:41 (12 minutes ago) IP: 181.224.158.20 [block] Hostname: ip-181-224-158-20.siteground.com
    Browser: Chrome version 57.0 running on MacOSX
    =========

    I tried to block the IP 181.224.158.20 but failed, wordfence told me that I cannot self block my own IP… I was surprised receive this msg, so I choose to block it via cPanel, however result show me that I cannot access to the site or even the admin from back end, I use my iPhone also cannot access until I unblock it from cPanel.

    The domain name is registered via NameCheap, pointed to CloudFlare, and pointed back to my hosting.

    Any idea what happen to my site? Is it because I am using the learning mode so it’s a part from Wordfence self tracking and hacking to enhance the protection?

    Sorry for long details but hope anyone of you can give me more advise.

    Thanks in advance!

    (Using updated Wordfence 6.3.8 now)

    Adam

Viewing 5 replies - 1 through 5 (of 5 total)
  • Take a read of this page about Cloudflare. It is Cloudflare’s plugin which restores visitor’s IP address to the correct one for WordPress logs. This because Cloudflare will reflect it’s own proxy IP’s when traffic is passed through their servers.

    Link: https://blog.cloudflare.com/introducing-the-cloudflare-wordpress-plugin/

    Cloudflare proxy IP’s may cause issues with your attempts to understand what IP address your dealing with in WordFence live traffic and IP block. Of course, someone from WordFence has to answer the tech details of their plugin to those who use Cloudfare.

    This could be the reason why you got the warning about blocking yourself when you tried to block the hacker, because both you and the hacker are going through the same Cloudflare proxy IP, at least that is what it seems to me based on the above information.

    Hope this gives some help.

    • This reply was modified 2 years, 8 months ago by wpwd2016. Reason: More info
    • This reply was modified 2 years, 8 months ago by wpwd2016.
    • This reply was modified 2 years, 8 months ago by wpwd2016.

    IC, I have stopped the pointing and it seen like everything go fine right now, so which mean if I want to continue to use cloudflare, I need to install this cloudflare plugin as well to correct the problem?

    IC, I have stopped the pointing and it seen like everything go fine right now, so which mean if I want to continue to use cloudflare, I need to install this cloudflare plugin as well to correct the problem?

    No, not necessarily. Plugins should never be taken as the end all and be all answer to WordPress issues, plus the plugin may make no difference other than showing the actual IP address.

    Instead, get the WordFence Tech to answer the concerns because it is possible that WordFence options has a way to address your concerns, or that this may be a bug WordFence needs to know about to include in their next update since they are pretty quick updating to rid of bugs.

    After the WordFence Tech answers your questions, you will have a better idea of what to do.

    Another thing to consider is the premium version of WordFence, where you can block countries from accessing the site. This may be only a temporary measure, but may temporarily deal with the issue until the WordFence Tech can help. I use the premium version on one of my sites and I am very happy with it.

    Until then, monitor the activity and work the options you do have to see what can be done for now.

    • This reply was modified 2 years, 8 months ago by wpwd2016. Reason: grammar correction
    • This reply was modified 2 years, 8 months ago by wpwd2016. Reason: more info

    Hi Adam,
    There should be no problem using Cloudflare along with Wordfence, please check which option was selected in (Wordfence > Options => How does Wordfence get IPs) before and after using Cloudflare, make sure your IP is detected correctly in both cases.

    Thanks.

    @wfalaa, I have removed cloudflare yesterday and pointed back to inmotion ns, this IP 181.224.158.20 untag to my dynamic IP 222.164.227.90 right immediate, and so far for the past 13hrs go fine, and that IP is being blocked out of my site. So I strongly believe the problem cause by the clouflare, but all setting set via auto config and no idea why, anyway maybe retry to tag back to cloudflare during weekend, and see how it perform against…

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Am I Being Hack? Feel like being hacked…’ is closed to new replies.