Wordfence Alerts for the Sites Own IP?

  • I manage about 20 sites using Siteground as the host and The7 Theme (WordPress).

    I get daily alerts for most of the sites stating that:

    A user with IP addr xx.xxx.xxx.xxx has been locked out from signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 20. The last username they tried to sign in with was: ‘arpi’.
    The duration of the lockout is 4 hours.

    User IP: xx.xxx.xxx.xxx
    User hostname: ip-xx.xxx.xxx.xxx.siteground.com
    User location: Chicago, United States

    Its always the exact same IP address as the site itself and its always Chocago which is where the data center is for the siteground Hosting. I do also see siteground at the end of the IP above. But the user names are always unique, things like “arpi” etc

    Can anyone shed some light on this for me. I’m confused why the IP is for the site and not the person trying to access the site.

Viewing 6 replies - 1 through 6 (of 6 total)

  • Hey @ocdenson,

    Can you please check to make sure How does Wordfence get IPs is correctly identifying your IP?

    https://www.wordfence.com/help/dashboard/options/#general-wordfence-options

    Please let me know.

    Thanks,

    Gerroald

    Thread Starter ocdenson

    (@ocdenson)

    REMOTE_ADDR xx.xxx.xxx.xxx (websites own ip) In use

    CF-Connecting-IP (not set)

    X-Real-IP xx.xxx.xxx.xxx (websites own ip)

    X-Forwarded-For (not set)

    Trusted Proxies

    Thread Starter ocdenson

    (@ocdenson)

    See my reply above.

    I also wanted to mention that most of these sites that i get alerts for Im temporarily locked out of and need to submit my email to regain access. I just get a weird feeling that there’s some strange behaviors going on. I first thought it was marking my log ins as dangerous but the reports show that someone is trying up to 20 times to access the site and using versions of user names that aren’t correct. I even panicked that my own computer had been hacked so i did a complete fresh Windows install.

    So the problem stands that people are relentlessly trying to access various sites of mine but their IP is reflecting the sites own IP from the Chicago data center. I am also being locked out of the sites that are being attacked.

    Hey @ocdenson,

    Can you please try the X-Real-IP method and let me know if it helps?

    As far as the attacks, these are brute force attacks. While it’s alarming to see, it’s actually normal. There’s only so much we can do to prevent an attack, it’s more about making sure they aren’t successful. And once we get your IP detection functioning correctly it won’t be an issue for you.

    Please let me know if switching IP detection methods helps.

    Thanks,

    Gerroald

    Thread Starter ocdenson

    (@ocdenson)

    Hi, thanks for all yor help thus far .

    So a certain degree of success.

    I received a new alert that “someone had reached maximum log in attempts of 20” – (btw can’t I limit that to less numbers to make it harder for them?)

    The IP is still showing the websites own IP but this time i wasn’t locked out myself ??

    So i guess that’s better but still not getting their IP.

    – Kindly, Oliver

    Plugin Support wfscott

    (@wfscott)

    @ocdenson

    If you’re still seeing SiteGrounds IPs in the How does Wordfence get IPs section, please reach out to SiteGround support and check if they are seeing anything on their side relating to the issue. Let them know the IPs coming in are SiteGround IPs and not unique visitor IPs. There may have been a recent migration that affected the IPs on the site and how they are identified.

    Scott

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Wordfence Alerts for the Sites Own IP?’ is closed to new replies.