Brute force attack locks everybody out.

  • Resolved mechx1

    (@mechx1)


    3 years, 7 months ago

    We are running a VPS server behind an NGINX configuration. The NGINX reverse proxy apparently logs all visitors under the server IP by default. That means EVERYBODY trying to log into wp-admin gets locked out when a brute force attack happens. I can see two options under “Where does WordFence get IP” that may help, X-Real-IP HTTP header and X-Forwarded-For HTTP header, but I really don’t know which to pick, or how to find that out. Thanks for any suggestions.

Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @mechx1, thanks for your message.

    I think you’re along the right lines with where you’re looking as a result of the issues you’re seeing. Everybody is being detected as the same IP so a lockout for one user will apply to all.

    If you look up your public facing IP address at https://www.whatsmyip.org/ and visit Wordfence > Dashboard > Global Options > General Wordfence Options > How does Wordfence get IPs again and cycle through the options, do any match your IP? Make sure to click SAVE if you do have to change this.

    Have you added your proxy IP to the “Trusted Proxy” list in Wordfence > All Options > General Wordfence Options > How does Wordfence get IPs > Edit Trusted Proxies?

    You may find the “How does Wordfence get IPs” section informative too at: https://www.wordfence.com/help/dashboard/options/#general-wordfence-options

    The reverse proxy may need to be configured by your host to pass the user’s correct IP value to the site so that Wordfence can detect it, so it may be worth checking in with their support before getting back to us as this route has been the solution in the past. Let me know how it goes!

    Thanks,

    Peter.

Viewing 1 replies (of 1 total)
  • The topic ‘Brute force attack locks everybody out.’ is closed to new replies.