Does the Firewall record “Blocked” IPs that never actually reach the website?
-
I’m trying to figure out how the WordFence firewall works relative to intrusion attempts. Specifically, if I am running a separate plugin to block IPs…yet I still see those IP’s in WordFence’s Live Traffic feed…is that “proof” that I am not really blocking those IP’s? You’d think it’s a simple answer (YES), but…
I’ve tested geographic blocking and successfully generated 403 errors in each instance – suggesting the blocking works…yet I will still see the full URL of the attempt in Live Traffic. I’ve also checked my log files (which also back up successful rule engagement/blocking).
Are these ‘phantom’ hits? Intrusion attempts that are not really reaching the website even though I am seeing them in the Wordfence plugin?
FYI – I couldn’t get a clear answer from the other plugin author. Simply said hook conflicts. My own ignorance no doubt, but made no sense.
The page I need help with: [log in to see the link]
-
Think of the flow this way:
Welcome user or bad guy –> Internet –> Apache/Nginx Web Server –> WordPress
All of your plugins exist within WordPress, so everything you see traffic-wise in a WordPress plugin means that traffic got past Apache/Nginx all the way to WordPress. This means it hit everything hardware-wise up to and including your web server, since that’s where WordPress lives.
Once the traffic hit WordPress, your plugins that handle incoming requests are executed in a priority order, including Wordfence and your other security plugin. If either plugin decides it’s a request from a bad guy, that plugin returns a 403 or 503 or whatever non-200 HTTP code is appropriate. In Wordfence’s case, with it’s default settings, WordPress also serves a custom error page back to the bad guy. If all of your security plugins say “good guy”, WordPress serves an HTTP 200 (OK) status back with the actual web site page requested. In either the good or bad case, your web server is sending a page and an appropriate status code back to the requestor.
Enterprise sites usually have some sort of separate front end protection that sits between their actual web servers and incoming traffic and handles this separately so that bad traffic never hits the web server, but in your case and most smaller WordPress site cases, it’s all your web server and WordPress handling all of it. “Blocking” in this case is best thought of as “blocked from seeing legitimate content on my WordPress site” rather than “blocked from my WordPress site”. In your case, it sounds like Wordfence is being executed as a higher priority plugin before your other security plugin where you block the traffic, so Wordfence sees it and logs it first.
Make sense?
- The topic ‘Does the Firewall record “Blocked” IPs that never actually reach the website?’ is closed to new replies.
