Immediately block IPs that access these URLs:

Hi

I am seeing the same thing

I think whats happening is the path can be accessed and the ip address isnt blocked until it enters a false name/password and the fail frequency required is reached

As no false name/password can be added via the invalid URL there is no ip block triggered because no no false name/password has been entered to trigger the block

I think the solution is to have the option to Block IP addresses that repeatedly submit and invalid path or phrase – say to login via any URL with “/wp-login.php” when it (“/wp-login.php”) doesnt exist

The trigger phrase/url/etc and number of attempts allowed would be set by the user in a table

It would also be useful to be alerted if an ip address is repeatedly attempting to access a non existent URL or the same non existent URL is being requested by different ip addresses

Suggested Features to Add

1. a feature that allows the user to add path or phrase or words – for example “/wp-login.php”

so that if it (“/wp-login.php”) appears in any request to the site that triggers wordfence to

i. automatically block the originating ip address or
ii. block after a certain amount of attempts

2. a flag that tells you when an ip address is repeatedly requesting an invalid URL or phrase or words etc and an option to add that URL etc to the table above

3. a flag that tells you when different ip addresses are repeatedly requesting the same or similar invalid URLs paths or phrases or words etc and an option to add that URL etc to the table above

thanks

Hi

I think I have found there is an existing feature already that does most of what I asked for above

Thanks

https://docs.wordfence.com/en/Wordfence_options?utm_source=plugin&utm_medium=pluginUI&utm_campaign=docsIcon#Immediately_block_IP.27s_that_access_these_URLs

Immediately block IP’s that access these URLs

This allows you to set a kind of trap for bad guys. You can enter a URL that does not exist, for example: /vulnerabilityLivesHere

Then if someone tries to access that URL they are instantly blocked. You have to specify a relative URL, in other words it must start with a forward slash. It also must be a page that does not exist on your website. Wildcards (*) can be used, if there are visits to multiple bad URLs. For example, if there are visits to /badpage-one/ and /badpage-two/, then entering /badpage-*/ will block both.

We only recommend this feature if you are trying to catch a specific hacker and block them or if you are trying to catch hackers that are trying to exploit a known vulnerability or page on your site.

BTW, I just tested “Immediately block IPs that access these URLs” and yes, the URL has to exist on your server for this to work. I thought this was otherwise, shucks…

MTN

• This reply was modified 8 years, 2 months ago by mountainguy2.

I dont see the same as mountainguy2 – i do see it blocking URLs that dont exist – it happened while I was writing this

But I have to say I am not really that clear on whats being reported in live traffic and what makes somethings get blocked and others not get blocked even though both incidents in live traffic get a message saying “was blocked by Wordfence Security Network”

Comment

May be I am missing something but this is what I see

I can see wordfence live traffic reports and blocks ip attempting to login via a non-existent URL
but

Looking at this further I see the following

1. the live traffic report

i. first reports a location/city/country then advice if it [the location(?)] “was blocked by Wordfence Security Network”
ii.secondly it then blocks the ip address that comes after the message (“was blocked by Wordfence Security Network”) if a flag has been triggered

5. if a specific flag isnt triggered then live traffic report leaves the ip addressed unblocked but allows manual blocking of the ip by clicking og the word block in the live traffic report

Summary

It seems that

A. if the unrecognized URL trap is triggered the ip is blocked
B. if something else has triggered the message “was blocked by Wordfence Security Network” to be activated in live traffic then the ip is not necessarily blocked

Question

Could somebody clarify whats going on and how to automatically block any ip address once the message “was blocked by Wordfence Security Network” comes up in live traffic

https://docs.wordfence.com/en/Wordfence_options?utm_source=plugin&utm_medium=pluginUI&utm_campaign=docsIcon#Immediately_block_IP.27s_that_access_these_URLs

Immediately block IP’s that access these URLs

You can enter a URL that does not exist, for example: /vulnerabilityLivesHere

Then if someone tries to access that URL they are instantly blocked. You have to specify a relative URL, in other words it must start with a forward slash.

PS – I want to add something to my last post

1. after I finished the previous post I looked at live traffic and found that a non-existent URL accessed from the USA and triggered the live traffic message “was blocked by Wordfence Security Network” and the IP address was automatically blocked by wordfence

2. I looked back over the blocked ips reports (which also gives the reason and action taken and by whom) and found on another occasion an IP address from New Zealand accessing the same non-existent URL triggered the message “was blocked by Wordfence Security Network” but the IP address was manually blocked by me (that is reported under the blocked ips page that I manually blocked it)

So there was an inconsistency even though the same non existent URL triggered the same initial response “was blocked by Wordfence Security Network” the ip address was blocked automatically in one case and not in the other case

Both incidents happened within a few hours of each other

I guess its possible that there was something I had done to the settings – but I dont recall doing anything that should have caused there to be 2 different out comes

I will see what else comes up in live traffic and post it when i have time

Robert, I should have shared my exact testing sequence. Not time at the moment, but I can say that I depend greatly on “Immediately Block” working on URLs that do NOT exist on server, but also on URLs that DO exist. I use a large list. When I test by using my VPN and accessing a test URL that I create and then delete in site root, the blocking messages are confusing. I’ll do another test today and share more detail here. Apologies for my vague posting above.

The Wordfence documentation is wishy washy on this. It doesn’t clarify what happens if a URL _does_ exist on server, only if it _does not_, typically confusing documentation?

“Immediately block IP’s that access these URLs
This allows you to set a kind of trap for bad guys. You can enter a URL that does not exist, for example: /vulnerabilityLivesHere
Then if someone tries to access that URL they are instantly blocked.”

MTN

One gets the feeling that Wordfence included this feature as somewhat of an afterthought, it’s not very robust. For example, the ability to add comment lines would be appreciated, and some certainty on it being able to block for both extant and non-extant files. Some idea of how much server load this creates would be appreciated as well, as in, how big a list is appropriate?

MTN

Whats going on seems pretty strange

I am getting a series of messages in live traffic for IPs trying to access the same address for a non existent URL

The messages are

1. “blocked for Accessed a banned URL”
2. “blocked by Wordfence Security Network”

3. There are not many messages related to “blocked for Accessed a banned URL”
(Accessed is the spelling used – i have just copied and pasted)

4. I cannot see any difference between the events related to the 2 different messages but the subsequent blocking process appears to be different
5. “blocked for Accessed a banned URL” seems to trigger an immediate blocking of that ip address no more instances of attempted access from that ip address are shown
6. “blocked by Wordfence Security Network” seems to allow a number of additional attempted login before they cease in live traffic
7. “blocked by Wordfence Security Network” doesnt always generate a blocked report in live traffic even though the IPs trying to access the same address for a non existent URL
8. I manually block the ips that have triggered the “blocked by Wordfence Security Network” but not reported blocked in live traffic
9. I am a bit concerned that ips dont always show up in the blocked ips report even when blocked by wordfence automatically or me manually

Any feedback from wordfence on what i might be doing wrong etc ?

Follow up I have been watching what is happening on live traffic and it seems that maybe there is an issue with determining if a blocked URL is accessed by an IP address

It seems that in wordfence

1. if the ip address goes straight to the blocked URL – then it is deemed to have accessed the blocked URL and is immediately blocked with the message “blocked for Accessed a banned URL”
2. if the ip address first goes to say https://www.xyz.com/xmlrpc.php and then to a blocked URL it is not considered as accessing the blocked URL

In my case I notice that after entering the site via /xmlrpc.php the IP address is allowed 5 additional attempts to access a non existent URL before being blocked.

I believe this is because I have set under option “If a crawler’s pages not found (404s) exceed: 4” per minute then block it

I note that for now I am seeing wordfence block all these different attempts whether by “blocked for Accessed a banned URL” or “blocked for Accessed a banned URL” and I have not needed to manually block the ip after the message “blocked by Wordfence Security Network” or “blocked for Accessed a banned URL” comes up as I was experiencing in some cases yesterday and previously (this may just be a temporary result)

It may be there is a hole in the word fence code that means if an ip address accesses a non existent URL having already arrived at the web site via an existing page the the non existent URL feature is not used to verify subsequent page requests

If I am correct this would seem a simple thing to rectify either

A. in the code for checking if a URL is blocked or by
B. adding an option to check each URL request however it is sent to determine if it is a blocked URL and if it is immediately block it

PS – so now I have just experienced a “blocked by Wordfence Security Network” that needed to be blocked manually so as I suggested the auto blocking still seems “temperamental” or I am doing something wrong

Also there was a typo above — it should have read what is set out below

I note that for now I am seeing wordfence block all these different attempts whether by “blocked for Accessed a banned URL” or “blocked by Wordfence Security Network”

(not I note that for now I am seeing wordfence block all these different attempts whether by “blocked for Accessed a banned URL” or “blocked for Accessed a banned URL”)

Thanks Robert, looking at what you’re saying, it appears that perhaps the sequence of how a browser accesses a given URL influences how the Wordfence URL-IP blocking works. Appears that quickly gets complicated!

I did some reasonably careful but basic testing, using my VPN and uploading-renaming various filed via FTP for testing. Here are my results. Sadly, in my case anyway, I verified that the Wordfence “Immediately block IPs that access these URLs” does NOT work for me if the listed file exists on my server. This is a bummer. And I’m nearly certain I was told by Wordfence some time ago that they changed things and that the blocking did function whether the file existed or not. Here are my tests.

File NOT existing on server, NOT on WF “Immediately block IPs that access these URLs” list (IBIAU), normal file not found message.

File existing on server, not on WF IBIAU list, normal browser access.

File NOT existing on server, listed in IBIAU, blocked by Wordfence, displayed on “Blocked IPs List”

For grins, I went backwards a few steps just to make sure things were working normally, thus..

File Not on server and not listed in IBIAU, normal file not found message.

File ON server, LISTED in WF IBIAU” list, NOT BLOCKED.

Removed file from server, still listed in IBIAU list, BLOCKED by Wordfence.

Dang.

MTN