Hi @ianhsieh,
Can I have you take a look at the Wordfence settings?
Please go into Wordfence -> All Options, find these values:
– Immediately lock out invalid usernames (is this checked?)
– How long is an IP address blocked when it breaks a rule (is this 4 hours or longer?)
– Amount of time a user is locked out (is this 4 hours or longer?)
Could you also take a look at How does Wordfence get IPs
? Do you have any trusted proxies (click + Edit trust proxies to check)? Is your IP being properly detected there?
Dave
Hi Dave,
– Immediately lock out invalid usernames (is this checked?)
Yes, it’s checked.
– How long is an IP address blocked when it breaks a rule (is this 4 hours or longer?)
It’s set to 6 hours.
– Amount of time a user is locked out (is this 4 hours or longer?)
It’s set to 2 months.
– How does Wordfence get IPs
I use the recommended option “Let Wordfence use the most secure method to get visitor IP addresses. Prevents spoofing and works with most sites.” When I tried with a nonexistent username, I use a server that I have RDP access to, and is locked out, with the IP listed in the block list.
——————————
Here is a screenshot of the log of my website: https://snag.gy/Qiu3Vf.jpg
As you can see, an anonymous user attempted to login with an nonexistent username, but the IP address is not blocked. They continue trying to login with the same nonexistent username.
A different event shows up last night, and none of the IP address are in the block list even though they only tried once. https://snag.gy/3porGt.jpg
Thanks,
Ian
Hi again,
I took a look at the screenshots, and I noticed something strange.
On the right side of the logs, all of the IP addresses ended with .0
.
For example:
– 166.248.231.0
– 142.93.103.0
– 178.128.170.0
– 13.59.171.0
– 185.192.69.0
IP addresses connecting to your website cannot end in .0
.
So I suspect that multiple IP address that begin with the same digits is attacking your website.
Can you go into Wordfence -> Tools -> Live Traffic, to see if multiple IP addresses are showing up?
For example:
– 178.128.170.2
– 178.128.170.3
– 178.128.170.4
– 178.128.170.5
– 178.128.170.etc
Dave
Hi Dave,
Here is a screenshot of part of the live traffic page.
https://snag.gy/3r1Nw2.jpg
I can see that there are more attacks happening than what our log can record, but I don’t see multiple addresses of the same starting digits showing up. For example, I see 13.59.171.57 showing up multiple times, but I on’t see 13.59.171.XXX showing up elsewhere.
Also, the IP address shown to be block in this list doesn’t seems to match the one in the block list either (https://snag.gy/bR6BgJ.jpg). Are they blocked or not?
Thanks,
Ian
[ Please do not bump. ]