I tried disabling New User Approve, Registration Honeypot, and one other security-related plugin, Stop Spammer Registrations. It made no difference.
While I was watching the access log, another IP address started hitting the wp-login URL several times per second. Then I noticed that IP’s requests suddenly became intermingled with responses from 69.46.36.10, which I’ve noticed in the past happens when Wordfence blocks an IP. Checking Wordfence, I saw that the IP address was shown as blocked in ‘IPs that are blocked from accessing the site’, with the reason being ‘Blocked by Wordfence Security Network’. But that’s separate from the automatic login blocking that should be occurring and isn’t, right?
Hi
Great question! This is from our webwite:
If one WordPress site running Wordfence is attacked, the attacker is blocked and all other sites also running Wordfence block that attacker. You are watching this happen in real-time on the map above. The data you’re seeing is being streamed to your web browser from one of our real-time security servers in our Seattle data center. Green traffic is ordinary WordPress sign-in’s. Red traffic is hack attempts that we’ve blocked.
Does that answer your question about that?
About the original question, I found that one of the sites I manage, which gets attempts all day long, has its messages now auto delivered to the spam folder. I’ve even tried setting this as not junk in my email program but the amount of the emails seems to flag the spam filter no matter what. One thing you can do to combat that is set how many emails you want to receive an hour. Its defaulted at 0 (unlimited). I set mine to 1. You might try adjusting that one and seeing if it helps. Before I did anything, though, I would check your junk mail folder to see if the emails are winding up there.
tim
My question about the ‘Blocked by Wordfence Security Network’ blocking was actually just asking to confirm that that type of blocking is distinct from the login security blocking that Wordfence applies when it detects rapid login/forgotpassword attempts.
As for the original problem: although I mentioned the lack of alert emails, that is not the issue. Watching the access log shows attacks happening, but looking at the Wordfence ‘Blocked IPs/IPs that are locked out from login’ tab shows that Wordfence isn’t blocking them. The related settings are all set to the defaults.
So, you aren’t seeing them in that tab, right?
If you have access to your server logs, try looking at the access log. Another poster here in the forums pointed out that an easy way to tell if an ip was being blocked was to note the size of the file they received when they hit the wp-login.php page. There was a distinct size difference between a valid IP address and one that had been blocked, showing that the bad IP was being served the text page telling them they were blocked.
Can you try updating to the latest version and checking again, just to be sure?
Thanks!
tim
I saw that post as well, which was what allowed me to recognize when Wordfence is actually blocking an IP. I watch my access log constantly now, and I can definitely see when Wordfence is blocking.
However, while the ‘Blocked by Wordfence Security Network’ blocking is working as expected (the block appears in the relevant tab, and the access log shows evidence of the blocking), the blocking based on the login/forgotpassword security settings is apparently not working at all, based on the fact that even when I see a lot of login attempts, the attacking IP never appears in the Wordfence IP block lists, and I see no evidence of blocking in the access log.
I just updated the site in question to Wordfence 5.2.7, so I’ll watch things and post any new information here.
There is something that might be an issue here. Can you look in your java console while on that page? I’m betting you have a java error show up in red and it should point to the problem. Post a screenshot here.
thanks!
tim
ps here’s how to enable it if you didn’t already know:
https://www.java.com/en/download/help/javaconsole.xml
Two questions.
1. When you say ‘while on that page’, to which page are you referring? The Wordfence live traffic monitor? The Wordfence IP blocks page?
2. Are you sure you meant Java? I wasn’t aware that Wordfence uses Java. I’m pretty sure it uses Javascript, however. Maybe you wanted me to look at the Javascript console? I did enable the Java console, and I did watch it while working with Wordfence, but saw nothing at all. On the other hand, when I run a Java application, the Java console is full of stuff.
We use javascript in various things.
Are you seeing anything on the blocked ip’s page?
wp-admin/admin.php?page=WordfenceBlockedIPs
or only missing certain ones?
tim
On the Wordfence IP Blocking page:
IPs that are blocked from accessing the site
– currently all I see here are IPs I’ve blocked manually
– yesterday there was also a ten minute block that happened because of information from the Wordfence network
IPs that are Locked Out from Login
– one entry from two months ago
– there was a second one that expired yesterday
IPs who were recently throttled for accessing the site too frequently
– one entry from over a year ago
Some kinds of blocking are working: manual blocks, and blocks based on the Wordfence network. But the login lockouts seem to have stopped working at some point in the last two months.
Is there some way to put Wordfence into a diagnostic mode, so I can see what it’s doing?
Ok so the page is working which means no java script errors, which is what I thought.
let me email the dev team for ideas I maybe am missing.
tim
This problem seems to have mysteriously resolved itself. I have no idea how that happened. I will continue to monitor things and I learn anything I’ll post it here.
Thats because…err…I fixed it.,….yeah,.,….thats the ticket 🙂
Seriously, glad its working for you now.
tim
Another wp-login.php based attack this morning, and again Wordfence seems oblivious. Nothing in the Live Traffic view, and no login blocking was triggered. Eventually the IP was blocked via the Wordfence network. I checked the IP and found nothing special about it; for example, it’s not a crawler like MJ12bot.
So I’m still trying to figure this out. It’s looking increasingly like an incompatibility with one of my other security plugins. Testing continues…
Further testing shows some interesting things:
[1] Wordfence doesn’t seem to notice, log, show or block traffic that consists only of repeated requests like these:
/wp-login.php?action=lostpassword
/wp-login.php?action=register
/wp-login.php
I’m not sure what the attacker is trying to accomplish by sending these requests – several times per second – for long periods. But regardless, Wordfence doesn’t seem to care about them.
[2] Wordfence also doesn’t seem to care about login attempts where no password is specified. I tried repeatedly to log in with a valid username and a blank password, and Wordfence again didn’t seem to notice, log, show or block this traffic. But as soon as I started trying to log in with a valid username with a non-blank but incorrect password, Wordfence’s login security settings kicked in and blocked the IP I was testing from.
Are these behaviours intentional in Wordfence? If so, then I guess the problem is that I failed to understand what Wordfence was supposed to be doing. If not, then again I may be dealing with an incompatibility with another plugin. I’ll repeat the tests with those plugins disabled and report back here.
Additional testing shows that Wordfence behaves the same regardless of whether the additional security plugins are enabled.
Wordfence doesn’t seem to notice or care about automated attacks that repeatedly issue POSTs for wp-login.php, and although it does log attempts to log in with blank passwords, it does not count them as failed login attempts and never blocks the IPs from which they are issued. Presumably these things are by design, so I’ll adjust my expectations accordingly.
