• Resolved igortitarenko

    (@igortitarenko)


    Hello,

    Right now one of my sites is being bruteforced through xmlrpc.php. Access to it is disabled in Login Security, so attacker (a bot with one IP) is blocked with 503 code.

    When I go to Wordfence/All Options or Wordfence/Tools/Diagnostics/IP Detection, my IP address is detected as IP address of current attacker by REMOTE_ADDR and X-Real-IP methods.
    CF-Connecting-IP and X-Forwarded-For are not used.

    This already resulted in any access to the website being blocked with 503 code. Issue have been solved with Wordfence Assistant plugin: I just removed all Wordfence data and settings.

    Any help?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support wfphil

    (@wfphil)

    Hi @igortitarenko

    Wordfence is detecting a proxy IP address instead of original visiting client IP addresses. This could be a CDN or a proxy server at your hosting provider.

    If you aren’t using Cloudflare have you tried saving the various options as outlined here:

    https://www.wordfence.com/help/dashboard/options/#get-ips

    I would like to have a look at your Wordfence diagnostics report. Please go to the top of the “Diagnostics” tab on the Wordfence “Tools” page. There will be a “SEND REPORT BY EMAIL” button to send the diagnostics report. Enter wftest [at] wordfence [dot] com as the email and @igortitarenko as the forum username please.

    Once you have emailed me the diagnostics report can you reply here to let me know that it has been sent. This is important in the unlikely event that your installation of WordPress is having an issue with sending mail.

    Hi @wfphil

    Yes, Live Traffic tool does show that requests come from ip-77-104-145-188.siteground.com hostname.

    I tried all options for IP detection and they all show the same result.

    I’ve emailed you the diagnostics report, but I used “KnwMDqv75JF6i8s” for username. Hope it’s OK.

    Plugin Support wfphil

    (@wfphil)

    Hi @igortitarenko

    Thank you for the update.

    Please find your IP address here:

    https://www.whatsmyip.org/

    In the How does Wordfence get IPs settings you should have this option saved – Use the X-Real-IP HTTP header. Only use if you have a front-end proxy or spoofing may result.

    If you have to apply that setting then remember to press the SAVE CHANGES button.

    Then on the line that says Your IP with this setting you should see your IP address that you found in the link above.

    If you see the SiteGround IP address 77.104.145.188 on the line Your IP with this setting then that indicates that the Nginx proxy server isn’t configured correctly and you will need to ask SiteGround for assistance so that visiting client IP addresses are passed along to the Apache web server correctly.

    Thank you @wfphil

    Issue was resolved. Someone forgot to update A record after account was moved to another IP within SiteGround.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.