According to a discussion going on here: http://security.stackexchange.com/questions/27958/brute-force-login-attempt-from-spoofed-ips, the WordFence plugin is looking at the “forwarded-for” header to determine request IP’s, leaving it vulnarable to IP Spoofing, as it trusts the self-reported IP address (http://cwe.mitre.org/data/definitions/291.html)
If WordFence uses the IP in $_SERVER[‘HTTP_X_FORWARDED_FOR’] for its blocking method, it does render that pretty weak.
My WF logs show thousands of failed login attempts for a non-existing ‘admin’ account. The requests come from different IP’s every time, and I see IP’s such as 220.127.116.11 (google’s public dns) as the ‘origin’ of some of the login attempts.
Blocking the IP’s I see in the logs are futile, as they are only used once.
- The topic ‘IP blocking requires better IP verification’ is closed to new replies.