Wordfence Security
[resolved] IP blocking requires better IP verification (2 posts)

  1. Mikkel Breum
    Posted 3 years ago #

    According to a discussion going on here: http://security.stackexchange.com/questions/27958/brute-force-login-attempt-from-spoofed-ips, the WordFence plugin is looking at the "forwarded-for" header to determine request IP's, leaving it vulnarable to IP Spoofing, as it trusts the self-reported IP address (http://cwe.mitre.org/data/definitions/291.html)

    If WordFence uses the IP in $_SERVER['HTTP_X_FORWARDED_FOR'] for its blocking method, it does render that pretty weak.

    My WF logs show thousands of failed login attempts for a non-existing 'admin' account. The requests come from different IP's every time, and I see IP's such as (google's public dns) as the 'origin' of some of the login attempts.

    Blocking the IP's I see in the logs are futile, as they are only used once.


  2. Wordfence
    Plugin Author

    Posted 3 years ago #

    Thanks Mikkel,

    We'll have a fix for this out soon. The issue is that there are a wide variety of web server configurations out there and we've tried to make Wordfence compatible with all of them - including front-end proxies, nginx, firewalls, etc.

    To fix this we're probably going to have to ask the user to specify which HTTP header we should use to get the IP address. Most users don't even know what an HTTP header is, so we're trying to figure out how to make this user-friendly and secure.

    We'll have a fix out soon.



Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Wordfence Security
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic