Blocking IP range using Blacklist Manager nor working

Under Firewall>>Basic Firewall Settings can you try checking one of the following two options;

Completely Block Access To XMLRPC
Disable Pingback Functionality From XMLRPC

I had already checked the box labeled: Check this if you are not using the WP XML-RPC functionality and you want to completely block external access to XMLRPC

I just checked the other as well but the help text seems to say that you’d use one or the other of these features. Dunno, that’s over my head.

Btw, I also enabled some simple math captcha and I’m still getting these lockouts so guessing this is someone trying to get in by hand (i.e. not a bot).

They are all from the same IP range though. I guess I’m still a bit surprised that there is no way to block an IP range. Is this correct?

You can block an IP range
To specify an IP range use a wildcard “*” character. Acceptable ways to use wildcards is shown in the examples below:

Example 1: 195.47.89.*

Example 2: 195.47.*.*

Example 3: 195.*.*.*`

Thanks so much for taking the time to reply.
I might not have made it clear in my original post but in the blacklist manager I have entered the wildcard as you suggested (in my case 185.118.81.* is the source of all the lockdown events I’m getting).

I also posted the resulting contents of my .htaccess file (presumably as a result of the action I took in the blacklist manager).
Note that even though the blacklist manager shows a wildcard, the htaccess file does not.
Can I just go in an edit the .htaccess file directly?
Many thanks,
Sue

The wild card should not be in the .htaccess
Your .htaccess looks correct format wise
However, your .htacess says the IP range to be blocked is 185.119.81
Whilst you say your blocked IP range is 185.118.81
Can you check that you have blocked the correct range?

Thanks for the careful read.
I will cut and past from various sources to make sure I don’t make any typos:

in a recent lockdown email I’m seeing IP Address: 185.119.81.107
in blacklist manager I’ve got 185.119.81.*
and in the .htaccess file I’ve got: Require not ip 185.119.81.0/24

So it looks like the typo was in my forum posts only.

Note: I haven’t had a lockdown event since Tuesday when I checked the disable pingback box as you suggested. Wondering if that fixed it.
I’ve had multi-day gaps before where I think I’ve succeeded.

Will follow-up if I get another from same IP range.

Many thanks,
Sue

If the issue persists just let us know and we can continue to investigate.

ug — yes, the issue persists. I got a couple more last night:

A lockdown event has occurred due to too many failed login attempts or invalid username:
Username: 30
IP Address: 185.119.81.106

IP Range: 185.119.81.*

The username is interesting, do they always have usernames that are just numbers when you get these login attempts?

I just noticed this was marked as resolved but it is anything but! (so I unresolved it).
I am still getting regular user lockout messages from the same domain range.
Is there really no way to get the .htaccess IP range to do its thing?

• This reply was modified 2 years, 8 months ago by soober99.

To confirm if the blacklist feature works in your site try using your IP address to block yourself temporarily. Please follow the steps below.

Can you try blocking your IP, to do this;

1) Make sure you are logged into your server using FTP. This will be handy to unlock yourself if needed.

2) Log into WordPress admin panel and add your IP address to the blacklist settings.

3) Try accessing your site from a browser where you are not logged in.

Followed steps and was still able to log in using a private browser after adding my IP address using Blacklist manager.
I also confirmed the .htaccess file had been edited with my IP address added.

Sooooo, I went looking on my server to make sure there was only one .htaccess and it turns out there IS more than one.

The wordpress .htaccess that appears to be updated is in the folder:
/www.sueborchardt.com/web/content/sueBlog (this is where my wordpress is installed)

But I also found an .htaccess file in /www.sueborchardt.com/web/content
So, I copied the one from the wordpress dir into this spot and it still lets me log in from my IP address.

Is the next step to put in a support request with my webhost?
Many thanks,
Sue

Hi Sue,

Yes I would check with your hosts. Could you let us know what they say?

ok, I’ve pasted their reply below.

`My first suggestion would be to only use the .htaccess file inside the ‘content’ folder. Since .htaccess file rules apply to the directory that they live in, as well as all other sub-directories, it can happen that two or more .htaccess files are conflicting with one another. To verify this, try disabling each additional .htaccess file outside of the ‘content’ folder.

Next, certain .htaccess rules may be sensitive to where they are located within the .htaccess file and therefore cause an .htaccess not working issue. If upon adding an .htaccess rule you notice that it is not taking effect, try moving it above the previous rule or to the very beginning of your file.

Finally, your existing .htaccess file might have some bad syntax or other error. So depending on previous changes it might also be beneficial to start with a clean simplified .htaccess file containing just the basics of your WordPress sub-directory install and your security plugin changes.`

I’d done the fist thing they suggest which is to disable the .htaccess in the wordpress install directory (and copied that file one level up into the content dir). Note this is gonna make any changes created by WP plug-ins a chore to update manually.

The other two suggestions entail venturing out of my wheelhouse! There is a lot of stuff in the current .htaccess file created by All In One WP Security.

I’m including it in its entirety here:

# BEGIN All In One WP Security
#AIOWPS_BASIC_HTACCESS_RULES_START
<Files .htaccess>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
ServerSignature Off
LimitRequestBody 10485760
<Files wp-config.php>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
#AIOWPS_BASIC_HTACCESS_RULES_END
#AIOWPS_PINGBACK_HTACCESS_RULES_START
<Files xmlrpc.php>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
#AIOWPS_PINGBACK_HTACCESS_RULES_END
#AIOWPS_DEBUG_LOG_BLOCK_HTACCESS_RULES_START
<Files debug.log>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
#AIOWPS_DEBUG_LOG_BLOCK_HTACCESS_RULES_END
#AIOWPS_DISABLE_INDEX_VIEWS_START
Options -Indexes
#AIOWPS_DISABLE_INDEX_VIEWS_END
#AIOWPS_DISABLE_TRACE_TRACK_START
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</IfModule>
#AIOWPS_DISABLE_TRACE_TRACK_END
#AIOWPS_FORBID_PROXY_COMMENTS_START
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^POST
RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_HOST} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule wp-comments-post\.php - [F]
</IfModule>
#AIOWPS_FORBID_PROXY_COMMENTS_END
#AIOWPS_SIX_G_BLACKLIST_START
# 6G FIREWALL/BLACKLIST
# @ https://perishablepress.com/6g/

# 6G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (\|\.\.\.|\.\./|~|

|<|>|\|) [NC,OR]
RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
RewriteCond %{QUERY_STRING} (‘|\”)(.*)(drop|insert|md5|select|union) [NC]
RewriteRule .* – [F]
</IfModule>

# 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|put|trace|track) [NC]
RewriteRule .* – [F]
</IfModule>

# 6G:[REFERRERS]
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000,}) [NC,OR]
RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
RewriteRule .* – [F]
</IfModule>

# 6G:[REQUEST STRINGS]
<IfModule mod_alias.c>
RedirectMatch 403 (?i)([a-z0-9]{2000,})
RedirectMatch 403 (?i)(https?|ftp|php):/
RedirectMatch 403 (?i)(base64_encode)(.*)(\()
RedirectMatch 403 (?i)(=\’|=\%27|/\’/?)\.
RedirectMatch 403 (?i)/(\$(\&)?|\*|\”|\.|,|&|&?)/?$
RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\”\\”)
RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\|\s|\{|\}|\[|\]|\|)
RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
</IfModule>

# 6G:[USER AGENTS]
<IfModule mod_setenvif.c>
SetEnvIfNoCase User-Agent ([a-z0-9]{2000,}) bad_bot
SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot

# Apache < 2.3
<IfModule !mod_authz_core.c>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
#AIOWPS_IP_BLACKLIST_2_3_START
Deny from 185.119.81.0/24
Deny from 202.164.60.0/24
#AIOWPS_IP_BLACKLIST_2_3_END

</IfModule>

# Apache >= 2.3
<IfModule mod_authz_core.c>
<RequireAll>
Require all Granted
Require not env bad_bot
#AIOWPS_IP_BLACKLIST_2_4_START
Require not ip 185.119.81.0/24
Require not ip 202.164.60.0/24
#AIOWPS_IP_BLACKLIST_2_4_END

</RequireAll>
</IfModule>
</IfModule>
#AIOWPS_SIX_G_BLACKLIST_END
#AIOWPS_FIVE_G_BLACKLIST_START
# 5G BLACKLIST/FIREWALL (2013)
# @ https://perishablepress.com/5g-blacklist-2013/

# 5G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (\”|%22).*(<|>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:).*(\;) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (\\|\.\./|`|=’$|=%27$) [NC,OR]
RewriteCond %{QUERY_STRING} (\;|’|\”|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR]
RewriteCond %{QUERY_STRING} (base64_encode|localhost|mosconfig) [NC,OR]
RewriteCond %{QUERY_STRING} (boot\.ini|echo.*kae|etc/passwd) [NC,OR]
RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC]
RewriteRule .* – [F]
</IfModule>

# 5G:[USER AGENTS]
<IfModule mod_setenvif.c>
# SetEnvIfNoCase User-Agent ^$ keep_out
SetEnvIfNoCase User-Agent (binlar|casper|cmsworldmap|comodo|diavol|dotbot|feedfinder|flicky|ia_archiver|jakarta|kmccrew|nutch|planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspider|zmeu) keep_out
<limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from env=keep_out
</limit>
</IfModule>

# 5G:[REQUEST STRINGS]
<IfModule mod_alias.c>
RedirectMatch 403 (https?|ftp|php)\://
RedirectMatch 403 /(https?|ima|ucp)/
RedirectMatch 403 /(Permanent|Better)$
RedirectMatch 403 (\=\\\’|\=\\%27|/\\\’/?|\)\.css\()$
RedirectMatch 403 (\,|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\||\\\”\\\”)
RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php$
RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107\_)
RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae|config\.xml)
RedirectMatch 403 \.well\-known/host\-meta
RedirectMatch 403 /function\.array\-rand
RedirectMatch 403 \)\;\$\(this\)\.html\(
RedirectMatch 403 proc/self/environ
RedirectMatch 403 msnbot\.htm\)\.\_
RedirectMatch 403 /ref\.outcontrol
RedirectMatch 403 com\_cropimage
RedirectMatch 403 indonesia\.htm
RedirectMatch 403 \{\$itemURL\}
RedirectMatch 403 function\(\)
RedirectMatch 403 labels\.rdf
RedirectMatch 403 /playing.php
RedirectMatch 403 muieblackcat
</IfModule>

# 5G:[REQUEST METHOD]
<ifModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F]
</IfModule>
#AIOWPS_FIVE_G_BLACKLIST_END
#AIOWPS_PREVENT_IMAGE_HOTLINKS_START
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(.*)?\.sueborchardt\.com/sueBlog [NC]
RewriteRule \.(gif|jpe?g?|png)$ – [F,NC,L]
</IfModule>
#AIOWPS_PREVENT_IMAGE_HOTLINKS_END
# END All In One WP Security

# BEGIN WordPress
# The directives (lines) between “BEGIN WordPress” and “END WordPress” are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /sueBlog/
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /sueBlog/index.php [L]
</IfModule>

# END WordPress
`

@soober99 The stuff that exists in the .htaccess file are firewall rules that are necessary for your WP site protection.