Blocked: exceeded page not found errors, but no page not found in traffic list

  • Resolved marelise

    (@marelise)


    1 year, 9 months ago

    The developer working on our site build has been locked out, Block reason: exceeded number of page not found errors per minute for humans.

    I don’t see any 404 page visits in the traffic feed.

    When he input the user email address to the blocked notification screen, he got an error: “Sorry your browser sent an invalid security token when trying to use this form”.

    I am trying to figure out if this is a Wordfence bug, or an issue with security on the dev’s side. The 404 rate limit was very strict, I’ve adjusted that to 60 requests per minute. The dev did land on favicon.io page a number of times, but that is excluded from the rate limiting, so I’m not sure what’s going on.

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @marelise, thanks for reaching out to us about this.

    Getting caught by “Page not found errors limit for humans” could be because your Rate Limiting settings are very strict. Especially during development when there are a lot of clicks back and forth between pages, background files like CSS, Javascript, Favicons (as you mention) etc. could sometimes be returning a bunch of 404s per page.

    The security token issue may be related to cached admin pages, but we might be able to change the settings to mean the developer doesn’t encounter the problem at all.

    I generally set my Rate Limiting Rules to these values to start with:
    Rate Limiting Screenshot

    • If anyone’s requests exceed – 240 per minute
    • If a crawler’s page views exceed – 120 per minute
    • If a crawler’s pages not found (404s) exceed – 60 per minute
    • If a human’s page views exceed – 120 per minute
    • If a human’s pages not found (404s) exceed – 60 per minute
    • How long is an IP address blocked when it breaks a rule – 30 minutes

    It could also be worth disabling Wordfence if they’re working on a staging or local environment, however try loosening up the settings above a touch if they’re developing on your live site.

    Let me know how that goes,
    Peter.

    Thread Starter marelise

    (@marelise)

    Hey @wfpeter Thank you for the info and settings suggestion.
    I thought I had set the page not found rate limit to align with your suggestion, but after a user being blocked again, I saw that Wordfence had defaulted to a stricter rate limit again.
    I’ve updated those settings again, and hoping it sticks this time ??

    Plugin Support wfpeter

    (@wfpeter)

    It’s interesting to hear the settings may have reverted at some point in the past but I’m confident this isn’t the usual behavior of the plugin so could be related to whether the “save changes” button was clicked, or perhaps if there were any JavaScript errors in the console at the time it was clicked.

    Best of luck with your new settings!
    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Blocked: exceeded page not found errors, but no page not found in traffic list’ is closed to new replies.