Support » Plugin: Wordfence Security - Firewall & Malware Scan » This is broken: Immediately block IPs that access these URLs

  • Resolved StanLight

    (@stanlight)



    I’ve added this to the “Immediately block IPs that access these URLs” settings:
    /wp-login.php

    But it doesn’t work. There are repeated attempts to load this URL, sometimes 20 or 30 from the same IP. Why isn’t the IP getting blocked?

    I understand that the URL has to be non-existent for this blocking to work (most unintuitive, BTW!). And this URL is disabled on my site because I use a plugin that gives me a different URL for logging in purposes.

    I’ve checked the server header for this wp-login.php page using a third party checking service and it is correctly giving a 404 response.

    Why isn’t Wordfence blocking these IPs that are trying to access my non-existent login page?

Viewing 7 replies - 1 through 7 (of 7 total)
  • It’s working properly on several of my client sites that I’ve set that up with… maybe the IP address is on a whitelist (happens for such IP as the one for Sucuri site-testing, and others).

    Note: I’m not part of WF admin/support, just a long-time user.

    Thanks for your reply.

    Good point about the whitelist but, no, I have no IPs on the whitelist. And it’s not one or two people trying this login page. I get 30-50 different IPs trying it everyday.

    Hi stanlight,
    I can confirm this option is working as it should, how do you know about these 30-50 “wp-login.php” URL access attempts? or you just got “failed login” notifications?

    P.S. make sure you are using the latest version of Wordfence.

    Thanks.

    My WP and WF are all up to date.

    No, I haven’t got “failed login” notification on. I see these attempts in the “live traffic” view. Some IPs have multiple attempts over several hours and they don’t get blocked.

    When I did turn notification on for WF to send me email, I’d get email like this:

    “Wordfence has blocked IP address 193.248.153.69.
    The reason is: “Exceeded the maximum number of page not found errors per minute for a crawler.”

    But not any notifications to say someone was blocked for trying to access banned / blocked page.

    I just copied this from my Live Traffic page:
    Hanoi, Vietnam tried to access non-existent page http://mysite.com/wp-login.php
    29/11/2016 08:05:53 (37 minutes ago) IP: 113.190.162.186 [block] Hostname: dynamic.vdc.vn

    Wordfence is giving me the option of blocking it manually here. Instead I expected that IP to have been blocked alreadyfor 24 hours (my setting) because it tried to access the login page earlier.

    • This reply was modified 2 years, 2 months ago by  StanLight.
    • This reply was modified 2 years, 2 months ago by  StanLight.

    I’m not sure if you changed this file name on purpose or this was done by the plugin you are using to change the login URL, either way, can you revert this back to the default and re-check this issue?

    Also, I suggest trying this option on different URLs than the “/wp-login.php”, just for testing.

    P.S. While testing, you can always use a VPN, so it’s not your original IP that got blocked and you can easily access your website back by switching off the VPN, but in case you locked your self out by mistake, you will find this article helpful.

    Let me know how it goes,
    Thanks.

    Good suggestion, thanks.

    I added this to my block list:
    /xyz123.php

    When I try to access that URL through a proxy I correctly get a message saying I’ve been blocked.

    When I try to access wp-login.php (on a new proxy) I don’t get that message. I just get the 404 page.

    <added>
    To answer your earlier question, I use a plugin called Rename wp-admin.php which gives me a custom URL for logging in that only I know about. (That would be a good feature for Wordfence to add!) On further digging I find that there is indeed a wp-login.php file in root… though I do hit the 404 page if I try to access it in a browser.

    • This reply was modified 2 years, 2 months ago by  StanLight.

    If you mean “Rename wp-login.php” plugin, then it’s worth to try deactivating this plugin and re-check this issue, as an alternative solution for now, you could block access to this file via “.htaccess” file by adding this snippet:

    
    # Deny access to wp-login.php file
    <files wp-login.php>
    order allow,deny
    deny from all
    </files>
    

    P.S. I tested this code with “Rename wp-login.php” plugin and I can confirm it’s working fine.

    Thanks.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘This is broken: Immediately block IPs that access these URLs’ is closed to new replies.