Blocking activity but not IP addresses?

Hi @jderosa,

Can you take a screenshot of Wordfence -> Live Traffic?

I’m trying to see if the IP address is being marked as blocked when it first attacks, and seeing if subsequent attacks are also blocked or not.

Is it possible that the IP address being detected from the attacker is whitelisted? (What is the IP?)

Dave

I have no whitelisted IP addresses.

This is how the Live Traffic screen looked immediately afterwards. I have since manually blocked the IP permanently. But, it appears that the attack was blocked, but the address was not, as there are pages of different attacks continuing from the same IP.

I would assume that after the first attempt, the IP would be blocked and would not be able to attempt any further antics.

screenshot: https://www.dropbox.com/s/ws1xe4fa92fq5ad/Capture1.jpg?dl=0

Thanks for the help.

Hi. Have you had a chance to look at this yet?

Hi. Can I get some followup on this issue, please?

Hey @jderosa,

I’m just following up with you from our previous thread.

Has this still been happening with this particular IP?

Does it happen with any other IPs?

Can you share a more recent screenshot of the issue?

Thanks,

Gerroald

Thanks for the followup. This is how most of the actual “attacks” appear in my log. It appears that rather than blocking the IP immediately after a rule break, they are able to continue trying multiple vectors of attack.

This happens with all IPs.

Other, more simple things such as accessing a banned URL appear to block correctly and do not allow followup attempts.

Here is the most recent one: https://www.dropbox.com/s/32bql9gnqof1oke/Capture2.jpg?dl=0

Thanks,
Jim

Hello? I have sent the information you’ve requested. Do you need additional information, or can you assist?

It’s been a bit of time since I responded…

Guys. This is getting comically silly. Can I get someone to stick with me until my problem is solved?

Yes, you can. We we’re actually discussion this in our team meeting today. I think the problem is one of understanding of what the blocking is actually doing. Short of actually going to the physical location of the IP address attempting to compromise the site and ripping the internet cable from the wall you can’t actually stop them from trying. No plugin or firewall would be able to do that. In every single instance that you showed in the screenshot the Firewall is doing its job and blocking it straight away. If you would like to permanently block the IP address, you can click the button in the same place you took the screenshot for me. If it shows up enough on sites it winds up on the IP Blacklist and is blocked automatically (That particular IP has been blacklisted since 2019-06-05) but that is a premium feature.

I also think it would be your preference that the IP be immediately permanently blocked? The reason behind not doing that is hackers, scripts, and bots change IPs like my daughter changes shoes. As soon as one is blocked enough times they swap the old IP for a new one to try another method of accessing the site or move on to the next site and try again. Blocking the IP address long term isn’t the most effective solution since the potential exists that you may be blocking legitimate visitors at some point. Our IP Blacklist rotates the IPs in and out as we catch the offending ones. I think currently the list has about 25,000 IPs in there. Even so, because the firewall runs before everything else on your site, even if you have blocked the IP the result in Live Traffic will show it was blocked by the Firewall because the Firewall blocked the attempt first.

In short, Wordfence is blocking these visits as shown in your screenshots. I hope this helps you understand what is happening.

I suppose it is possible that I’m misunderstanding what “Blocking” should do. Let me explain what I’m seeing, then you tell me how I’m missing anything.

It seems like you’re misunderstanding my concern, not the other way around.

Scenario 1: (see screenshot here)

• Attacker goes to site https://www.xxx.com/xmlrpc.php
• Attacker is blocked from executing the action
• Attacker IP is also blocked for period of time
• Admin has option to unblock, obviously indicating that the IP is blocked

Scenario 2: (see screenshot here)

• Attacker executes more advanced attack listed as against the rules
• Attacker is blocked from executing the action
• Attacker IP is not blocked and can try again with other vectors of attack
• Admin has option to block IP, indicating that the IP is not currently blocked and requires manual intervention to block

As you can imagine, in the 2nd scenario, if the attacker is particularly good, they now have more opportunities to attack the site, possibly with an attack that WPFence is not aware of and cannot defend against.

Does it seem like I’m understanding what’s happening? Does it seem like what’s happening is correct?

Please advise.

Can someone please respond?

Again, the IP is blocked by the firewall because it executes first, before the site even loads. Blocking the IP won’t do any good because it doesn’t even get to the site to be blocked. If you want to block the IP then click the Block IP button in the Live Traffic result in your screenshot.

Tim

I understand. But why does it automatically block the IP for other types of attacks, but not these, which are arguably more dangerous?