Reports same User hostname for MYSELF as for hackers

It sounds like your site may be using a “reverse proxy”, so Wordfence cannot see the visitors’ actual IP addresses. You will need to set the option “How does Wordfence get IPs” on the Wordfence Options page. Depending on what software your server is using, you probably need to choose the X-Real-IP or X-Forwarded-For option, or if you use CloudFlare, then choose the CF-Connecting-IP option. More details on the options are here:
How does Wordfence get IPs

After setting the option, you can verify it is working by looking at the Live Traffic page, and visiting the site in a separate browser where you are not logged in, and verify that your own IP appears in your own visits. (If Live Traffic is disabled, try logging in using the second browser, since logins and logouts are still recorded.)

Let me know if this helps, or if you still do not see the correct IP for your own visits.

-Matt R

I saw your other two posts, and now I’m not sure if this is the problem — it might be a DNS issue at the host.

Do you see different IPs getting blocked, but they all have the same hostname?

-Matt R

Since all 3 issues that you reported are probably related, it will be easier if we just discuss them here — for reference, the other two issues were these two posts:
https://www.ads-software.com/support/topic/reports-fake-google-bots-but-they-are-real
https://www.ads-software.com/support/topic/reports-no-ips-blcoked-although-there-are-several-blocked

-Matt R

Hi Matt, thanks for quick answers on my different (but same cause ?) problems

Yes, I see a lot of differenht IP:s blocked but many(but not all) has the same User hostname: vps.agenciaspin.com

Second – when It got blocked myself (using a removed user by mistake) I also hade that User hostname: vps.agenciaspin.com

But later – I had the right User hostname.

It also reports fake Gopogle bots, but when I check the IP:s they seem to be real, from Googles servers

Anf finally – inside Wortdfence – it rreports No IP:s blocked – although I have received all these emails telling me about different IP:s that HAS been blocked

Do you mean all this could have the same reason?

However, I have some other WP sites on the same ISP and server – and I dont get all this problems for the.

The site is https://peopleandtraffic.se/ if that helps.
The IP on the PC I use is: 81.232.69.81 when I see these problems

The IP on the server that host the domain: 194.9.94.50
Apache/2.2.31 (FreeBSD) PHP/5.5.30 mod_ssl/2.2.31 OpenSSL/0.9.8zd-freebsd

Thanks for helping

PeA

IFrom the beginning I had Live Traffic disabked – but have enabled it earlier tioday. I can see my own visit(cant see the IP nbr ) when visiting rom another browser. I also see a lot og Bing bot vsisits and from majestic12, yandex, opensite explorer etc – but NONE from Google bots!!
I have Verified Google crawlers have unlimited access…

But still nothing in IPs that are locked out from Login and nothing in IPs that are blocked from accessing the site

I have enabled Firewall, Login security, and now Live Traffic logging.

I kept How does Wordfence get IPs:Let WF use the most secure….

I dont feel that the other options should be better or solve the problem

I am not sure this has to do with my other problems – but I am beeing locked out mysself – in a way I should not be. WF has forced me to change mys password, I do so. When I 1-2 days later try to sign in – I am locked out. I check the password and try to login again. When it says I have only 2 attemps left (Login failed: Sorry..Wrong information 2 attemps remaining..!” , I get an email saying that I have been locked out due to too many attempts – but hey, it said I had 2 attempts left(and I tried only 3 timwes and that is less than I had configured). I asked for resetting the password but when I try to login in with that new password – it does not work. Now I have to wait 10 minutes before I can try again – but this feels like a Moment 22.

I would like to lock out unauthorized users, I dont want to make it more difficult for myself.

Yes, I think these are all related. The wrong hostname on the IP block is part of the problem, though the blank list of blocked IPs might only be because the blocks are not permanent. (We need to fix the first issue before looking further at that though.)

The “fake google bots” setting depends on hostname lookups, so if the “vps” hostname keeps appearing incorrectly for other IPs, they will fail. You can turn off “Immediately block fake Google crawlers” for now, to stop that until we fix the other issue.

First, please do these steps. Even though this isn’t a scanning issue, this process sends me extra information about your site which may help:
1. Go to the Scan page on the Wordfence menu
2. Above the “Scan detailed activity” box, click the”Email activity log” link
3. Enter my email address: mattr (at) wordfence.com
4. Click the Send button
(Type the email address with a real @ symbol, of course.)

Next, can you also give me a list of other plugins that you use on your site? Wordfence doesn’t show a countdown of how many attempts are remaining or force password changes, so it sounds like another security plugin is also installed. Sometimes this is ok, but it can cause unusual problems sometimes, when two plugins are working on the same part of WordPress.

Lastly, find out if the site is using a “reverse proxy” — it might be listed in your hosting company’s control panel, and might be called Varnish, but there could be others, too.

-Matt R

I sent you answers on all your question yesterday(in an enmail)

My hosting cmpany answresr that they have reverse proxy for Apache on some of their servers, but they also say that “server.pistolfolios.com” is nbot a customer (i must admit that I dont exactky undersytand thsi with reverse proxy and my problems)

Let me know if you did not get my replies

PeA

I received the scan log that you had sent, but no other email. Can you try re-sending it, or sending it from another email address?

The scan log looks ok, and I don’t see the usual signs of a reverse proxy, though it could be in place and have unusual settings. (A reverse proxy sits between the internet and your server, so it can lead to changed IP addresses, but usually it means you’ll only see one or a few different IP addresses in the live traffic — if there was some misconfiguration, it’s possible it could cause some issues, but this seems like it is probably something else.)

I’m hoping there is a clue to a different problem in the plugin list, when you’re able to try emailing that again.

I haven’t seen this particular issue with the hostnames before, but if you use W3 Total Cache’s “database cache” option, that can make very strange things happen sometimes. The other parts of that plugin work fine, but if you do use W3 Total Cache, you can test this by just temporarily disabling the plugin altogether.

There is also a possibility that one of the Wordfence tables has a broken index, or some other unusual problem. If you know how to check and repair tables in phpmyadmin or another database tool, you can try that. Alternately, you can reinstall Wordfence from scratch by turning on “Delete Wordfence tables and data on deactivation” near the bottom of the options page, and then disabling it, deleting it, and installing it again — you will have to choose all of the options you had enabled again, but if it’s a database or file problem, this would take care of it.

-Matt R

Hi Matt, what happened to my issue- I still receive plenty of emails with differebnt IP:s but same User host namen – but after a while it changes tio a new ine – buit whne it one and the same – the IP:s is coming frpm dfifferent countries etc. and sometimes it is like this:
User IP: 75.103.66.14
User hostname: msnbot-207-46-13-54.search.msn.com
User location: Phoenix, United States
____________________
User IP: 178.211.187.178
User hostname: msnbot-207-46-13-54.search.msn.com
User location: Pervouralsk, Russia
________________________________________
User IP: 142.4.4.201
User hostname: msnbot-207-46-13-54.search.msn.com
User location: Provo, United States

and so on – buty the after a number of emails – the User host name changes to a new one

and also the strange thing that my OWN user host namne started to come for a lot of other IP:s

This can′nt be right – and I do have clkearde the cache and deacttivated WP Super cache

PeA

Thanks for the update. I haven’t received an email with your plugin list yet — if you did try sending it again, you might need to try it from a different address, if your regular address might be getting blocked.

I think it is best to try reinstalling Wordfence completely. T do this you have to turn on “Delete Wordfence tables and data on deactivation” near the bottom of the options page, and then disable the plugin, delete it, and install it again — remember, you will have to choose all of the options you had enabled again, since your settings won’t be saved.

If it was a problem with the database, this would most likely fix it — if it does not fix it, then I think you will need the host to check the DNS server that is being used, or check if some other database caching is set up that isn’t working correctly. (This could be outside of WordPress — I haven’t seen anything happen quite like this before though.)

-Matt R

Hi Matt, I DO have sent the plugin list – I will also send you this email from another email address on another host.

I will also try to delete the plugin following your instructions and will let you know.

This is what I sent you dec 2nd (by email..)

My hosting company answers that they have reverse proxy for Apache on some of their servers, but they also say that “server.pistolfolios.com” is nbot a customer (i must admit that I don’t exactly understand this with reverse proxy and my problems)

Let me know if you did not get my replies
_________________________________________________________________

Hi Matt, I have send you the scan report

I have turned off Immediately block fake Google crawlers

Plugins:
All in One WP Security
WP Limit Login Attemps (I had but today I deactivated and also removed – as it caused some problems for myself being blocked) Yoast SEO UpDraft Plus(backup) Wincher rank tracker WP Super cache Redirection WP Edit SEO Friendly Images Google Analytics Dashboard Broken Link Checker

I know – that is maybe too many – I will delete some of them – when I am sure I don’t use them…
(It is easy to install and test but not easy to remove – as you forget…)

About reverse proxy – I don’t have a clue – I have to ask my hosting company – I am quite sure they don’t…

I still get plenty of emails like this – but now the other User host name is gone and now its seems to be 23.97.233.197 but with different IPs (It looks like a User host name is “stuck” in the system for a while and gets connected with several other IPs trying to login in , and the suddenly there is another User host name(like this one) connected to other I?s. I don’t think all these IP:s really have the same User host….

A user with IP address 142.4.4.201 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username ‘admin’ to try to sign in.
User IP: 142.4.4.201
User hostname: 23.97.233.197
User location: Provo, United States

Thanks for trying to solve this (it is late here in Stockholm, Sweden now (23.26..)

Thanks for sending the plugin list here. I still didn’t receive the email, but seeing the list here, I don’t think that any of these should cause this problem.

Let me know what happens after trying to reinstall Wordfence with the “Delete Wordfence tables and data on deactivation” option enabled. If it was a problem with one of the database tables, this usually should fix it.

If you know where to find the site’s error log, it might help to check that after reinstalling as well, if the problem is not corrected. (That could tell us if one of the database tables could not be recreated, or if there is another issue.)

If reinstalling does not fix it, then it is most likely something your host will need to fix. It may be that the host’s DNS server or the MySQL database server is not working correctly, or something obscure like a PHP cache (like APC) that is having problems.

-Matt R

Hi again Matt, I have not yet reinstalled WordFenc, but I will do so.

But yesterday I received an email from Ankur Shukla ([email protected]) with this link to a video telling that both Wordfence and “all” the other top security plugins – does not protect against Exploits & vulnerabilitys in WP, in themes and in plugins.
https://wpsiteguardian.com/live1c.php?aid=227809

This new software is called WP Site Guardian and the guy behind Chris Hitman.

I don′t know it this is fake – but I have reveived emails from this guy before and have some trust in him (but you can never know these days)
The vidoe shows how it should be possible to hack a site in a couple of second just by pasting some code into a comments field – and none of the best Security plugins protects against that.

As an example they mentioned that there is a vulnerability in WF:
Persistent Cross-siet Scripting(XSS)

What is your comment to this?
And if it is real – wouldn′t it be goof if WordFence also protected against this.
Let me know your thoughts

PeA

Hi,

Matt asked me to reply here. The product you’ve mentioned is an affiliate scheme that pays a 50% commission to people who successfully send leads to the maker of the software. That’s probably why you’re hearing a lot about it. Motivated affiliates are spamming to earn a commission.

The “vulnerability” it mentions was discovered by us, was fixed by us and we were polite and honest enough to disclose it to our customers. The fix actually fixes the issue in every version of Wordfence via a server side fix. It was fixed before the vulnerability was disclosed. So the claim the video makes about infected sites is garbage. Our customers were never at risk – clearly the author doesn’t understand how vulnerability disclosure works or that we fixed and then disclosed it ourselves.

Regards,

Mark.