Help: Immediately block the IP of users who try to sign in as these usernames

  • Resolved r-c

    (@rlmc)


    3 years, 9 months ago

    I have a hundreds of attempts per day from a bunch of amazon web services IP addresses trying to sign in using the username “admin” (which is NOT my admin username).
    They seem to roll through hundreds of IP addresses throughout the day.

    My question is, if I enable “Immediately block the IP of users who try to sign in as these usernames” for the username “admin”, how does that work with regard to not accidentally blocking my legitimate IP addresses?

    What I mean is that MY own legitimate logins usually show up as Amazon Web Services IP address (various ones all the time), so If I block those attempted fraudulent admin logins, isn’t there a decent chance that MY IP address ends up getting blocked too? (since it may be the same amazon web services IP address from time to time)

    Hope that question makes sense!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support WFAdam

    (@wfadam)

    Hello @rlmc and thanks for reaching out to us!

    They should block you but also your own IP address should be showing as AWS unless you are using a VM on an AWS server. That could be an issue with how IP Detection is set up.

    Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

    Thanks!

    Thread Starter r-c

    (@rlmc)

    Ok, I have sent the diagnostics report. (I wasn’t quite clear on what you meant by “They should block you but also your own IP address should be showing as AWS unless you are using a VM on an AWS server. That could be an issue with how IP Detection is set up.”)

    Can you let me know how to respond back to you privately after you have reviewed the report as I don’t want to share my email address and website here please.

    Thank you for your help.

    Plugin Support WFAdam

    (@wfadam)

    Thanks for sending that diagnostic!

    Looks like the IP being detected is an Ezoic IP address, which would explain the 503’s. If a brute force attacker gets locked out then everyone else including them will get that page until the lockout expires or the Ezoic IP address changes.

    To remedy this, we will need to change a setting and add some IPs to the trusted proxies.
    https://www.wordfence.com/help/dashboard/options/#ezoic-platform

    First, navigate to Wordfence > All Options > General Wordfence Options and change the How does Wordfence get IPs setting to Use the X-Forwarded-For HTTP header. You should see Detected IP(s) and Your IP with this setting, these two IP’s should match.

    Then just below that you should see + Edit trusted proxies. Click that and add all the Ezoic IP’s from their site. If you scroll to the bottom of the page you will see a txt file with the IPs in it:
    https://support.ezoic.com/kb/article/how-to-fix-origin-errors

    Once that is set properly, this random blocking should go away. Let me know if you have any questions!

    Thanks!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Help: Immediately block the IP of users who try to sign in as these usernames’ is closed to new replies.