Blocked admin name in brute force not blocked

Just to add an update on this one, when I check where this is coming from I see a localhost IP (127.0.0.1). Can this be related to the server somehow? But when I scan with Wordfence I can not see any infected or malicious files.

Best Regards

• This reply was modified 12 months ago by Efs. Reason: Added some extra information

Hi @stevendigital,

Thank you for contacting us.  If configured, Wordfence will send emails when someone is locked out from logging in.  If you no longer wish to receive those emails, you can disable them in Wordfence > Dashboard > Global Options > Email Alert Preferences > Alert when someone is locked out from login.

Is the option you’re using to configure the block the Immediately block the IP of users who try to sign in as these usernames option found in Wordfence > Firewall > All Firewall Options > Brute Force Protection?? This option will only immediately block the IP of users who attempt to sign in as usernames that don’t exist.? You can read more details about this option here:
https://www.wordfence.com/help/firewall/brute-force/#lockout-usernames?

If this isn’t the option you’re using, or if you are using unregistered usernames and not seeing the IPs being blocked successfully, can you provide us more information on your specific configuration please?  Please also provide us with details on the specific block message or email you’re seeing, either by pasting the block message here or sending us a screenshot.  You can also view details on specific login attempts and blocks under Wordfence > Tools > Live Traffic.  For IPs blocked by the above setting, you’ll see an entry marked as “blocked by login security setting.”

As for seeing the localhost IP, we recommend reviewing the IP detection in Wordfence.  To confirm whether IP detection is an issue, look up your public facing IP address at https://www.whatismyipaddress.com/ and visit Wordfence > Dashboard > Global Options > General Wordfence Options > How does Wordfence get IPs and cycle through the options. Your IP address should match the IP address shown on the line “Your IP with this setting“. Make sure to click SAVE if you have to change this setting.

You may find the “How does Wordfence get IPs” section informative on: https://www.wordfence.com/help/dashboard/options/#general-wordfence-options

Thanks,
Margaret

Hello @wfmargaret,

Below my answers:

If configured, Wordfence will send emails when someone is locked out from logging in.? If you no longer wish to receive those emails, you can disable them in?Wordfence > Dashboard > Global Options > Email Alert Preferences > Alert when someone is locked out from login.

That’s not the case.

Is the option you’re using to configure the block the?Immediately block the IP of users who try to sign in as these usernames?option found in?Wordfence > Firewall > All Firewall Options > Brute Force Protection?? This option will only immediately block the IP of users who attempt to sign in as usernames that don’t exist.? You can read more details about this option here:

I am using the option under the path that you suggest. And also I use the Immediately lock out invalid usernames.

If this isn’t the option you’re using, or if you are using unregistered usernames and not seeing the IPs being blocked successfully, can you provide us more information on your specific configuration please?? Please also provide us with details on the specific block message or email you’re seeing, either by pasting the block message here or sending us a screenshot.? You can also view details on specific login attempts and blocks under?Wordfence > Tools > Live Traffic.? For IPs blocked by the above setting, you’ll see an entry marked as “blocked by login security setting.”

I have checked the list and I can see this under the live traffic list:

An unknown location at IP?::1?left?https://mysite.com/wp-login.php?and?was?blocked by login security setting?at?https://mysite.com/wp-login.php

2/4/2024 11:51:50 π.μ. (22 hours 27 mins ago)

IP: ::1

Human/Bot: Human

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36

Most of the messages come back and forth, and I try to figure out if there is any problem with the server, or how this localhost call comes from. I do not know if Wordfence applies localhost when it can not detect an IP correctly.

Let me know your thoughts.

Best Regards

Hi @stevendigital,

Please review the IP detection in Wordfence.  To confirm whether IP detection is an issue, look up your public facing IP address at https://www.whatismyipaddress.com/ and visit Wordfence > Dashboard > Global Options > General Wordfence Options > How does Wordfence get IPs and cycle through the options. Your IP address should match the IP address shown on the line “Your IP with this setting“. Make sure to click SAVE if you have to change this setting.

Once you’ve confirmed the IP detection is working correctly, please review any new blocks.? Are all blocks in Wordfence > Tools > Live Traffic showing a localhost IP or are some blocks for external IP addresses?

Thanks,
Margaret

Hello @wfmargaret

Below my answers on your questions:

Please review the IP detection in Wordfence.? To confirm whether IP detection is an issue, look up your public-facing IP address at?https://www.whatismyipaddress.com/?and visit?Wordfence > Dashboard > Global Options > General Wordfence Options > How does Wordfence get IPs?and cycle through the options. Your IP address should match the IP address shown on the line “Your IP with this setting“.

Checked my IP. Everything shows correctly. My IP matches the settings IP. Did not need to save anything, as it appears as it should.

Once you’ve confirmed the IP detection is working correctly, please review any new blocks.? Are all blocks in?Wordfence > Tools > Live Traffic?showing a localhost IP or are some blocks for external IP addresses?

I have checked the settings that you are refer to. I can see IPs from external addresses and also I can see some unspecified calls on /wp-login.php that contain a local host IP.

Let me know your thoughts.

Best Regards,

Hello @stevendigital,

Thank you for confirming that.  Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email“. Please add your forum username where indicated and respond here after you have sent it.

NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

Please also send us your IP as listed at https://www.whatismyipaddress.com/.? If you would prefer to send that privately, please feel free to email that to wftest @ wordfence . com.? Please add your forum username where indicated and respond here after you have sent it.

Thanks,
Margaret

Hello,

Thank you for your reply. I have done both of them as you requested. I have sent the IP privately via my email address and as a reference, I used my name/username.

Best Regards

Hey, I have the same problem on a few of my websites I noticed blocked calls from 127.0.0.1, and together with them there are other normal calls from random IPs as well. I checked my IP and it matches WordFence settings. Any update on this?

Hello @blazej24,

Up until now, there has been no update. I have not received any update via email, and as you also see, no update here as well.

Will wait and see

@stevendigital

Thanks for your patience here. I’ve checked over the case and the diagnostics and I’m not seeing anything standing out. In the past, we’ve seen this intermittently with Nginx configuration issues.

We recommend to get with your host to look at the raw access logs for the localhost IPv4 and IPv6 addresses. If you see 127.0.0.1 or ::1 in the raw access logs then this would indicate that requests from those localhost IP’s are coming from a proxy server at the host which is not always sending along the client IP.

Thanks,
Scott