Support » Plugin: Wordfence Security - Firewall & Malware Scan » Wordfence denying massive numbers of IPs

  • Resolved JSanke

    (@jsanke)


    Site became unavailable due to 403 error. Server error logs showed hundreds if not thousands of IPs blocked by Wordfence, and no reason given. .htaccess was clogged with IP deny rules. My hosting provider removed them all from .htaccess and site works fine now. Wondering why this would happen; cPanel tools showed no evidence of brute force attacks. Would like to address any underlying issue to avoid this in future. Ideas, suggestions?

    The page I need help with: [log in to see the link]

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Support WFGerroald

    (@wfgerald)

    Hey @jsanke,

    This sounds like Firewall rules were being triggered. Can you please share screenshots of the expanded details of some of the blocks found in Wordfence > Live Traffic so we can get a better idea of what happened?

    Thanks,

    Gerroald

    Yet Another WP User

    (@yet-another-wp-user)

    @jsanke wrote:

    .htaccess was clogged with IP deny rules. My hosting provider removed them all from .htaccess and site works fine now.

    Wordfence doesn’t add any code to .htaccess file or does it?

    Plugin Support WFGerroald

    (@wfgerald)

    Hey @jsanke,

    @yet-another-wp-user is correct. We don’t add deny rules for blocked IPs to the htaccess. Do you have any other Security plugins installed?

    Thanks,

    Gerroald

    @wfgerald absolutely not. Hosting provider is certain that WF is doing it though, want me to post up error log?

    Plugin Support WFGerroald

    (@wfgerald)

    Hey @jsanke,

    Yes, please do share the logs. This could be a combination of issues. Wordfence doesn’t block IPs in the htaccess. If you’re able to, I’d be curious to see the code they removed from the htaccess file.

    Also, do you recall the exact 403 error?

    Thanks,

    Gerroald

    Here was the log as of about 5 AM GMT:
    deny from 95.47.178.162 deny from 107.178.206.67 deny from 91.200.12.4 deny from 91.200.12.79 deny from 91.200.12.1 deny from 91.200.12.2/31 deny from 91.200.12.4/30 deny from 91.200.12.8/29 deny from 91.200.12.16/28 deny from 91.200.12.32/27 deny from 91.200.12.64/27 deny from 91.200.12.96/30 deny from 198.204.243.202 deny from 173.208.169.1 deny from 173.208.169.2/31 deny from 173.208.169.4/30 deny from 173.208.169.8/29 deny from 173.208.169.16/28 deny from 173.208.169.32/27 deny from 173.208.169.64/27 deny from 173.208.169.96/30 # Wordfence WAF # END Wordfence WAF deny from 109.237.109.1 deny from 109.237.109.2/31 deny from 109.237.109.4/30 deny from 109.237.109.8/29 deny from 109.237.109.16/28 deny from 109.237.109.32/27 deny from 109.237.109.64/26 deny from 109.237.109.128/26 deny from 109.237.109.192/29 deny from 109.237.109.200 deny from 178.137.50.45 deny from 178.137.50.46/31 deny from 178.137.50.48/28 deny from 178.137.50.64/26 deny from 178.137.50.128/26 deny from 178.137.50.192/29 deny from 178.137.50.200 deny from 54.171.83.145 deny from 213.111.196.25 deny from 178.137.164.171 deny from 86.166.12.89 deny from 82.69.75.239 deny from 74.59.146.153
    I believe that the 403 error was simply access denied.

    Plugin Support WFGerroald

    (@wfgerald)

    Hey @jsanke,

    These aren’t from Wordfence, you’ll notice the Wordfence block of code is empty. Wordfence writes blocks to the database, not the htaccess. However, this could be due to your Cloudflare configuration. Can you please ask your host to take a look at your Cloudflare configuration to see if it’s contributing to it?

    I do find it worrisome that whatever is writing these deny rules isn’t staying in its own block of code. You’ll notice that it skips over the Wordfence beginning and end comments and continues to write. It’s entirely possible it was due to such a heavy load all at once.

    Additionally, the 403 likely means your IP was somehow blocked, or perhaps your server IP is there’s a configuration issue.

    Please let me know what they say.

    Thanks,

    Gerroald

    Will do. I’ll revert as soon as I can.

    Plugin Support WFGerroald

    (@wfgerald)

    Hey @jsanke,

    We haven’t heard back from you in a while, so I’ve gone ahead and marked this thread as resolved.

    Please feel free to open another thread if you’re still having issues with Wordfence.

    Thanks,

    Gerroald

Viewing 9 replies - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.