Does Wordfence really block attackers IP?

  • Resolved gore.m

    (@gorem)


    5 years, 7 months ago

    Hello,
    today our site faced to an attack… I founded out one thing – that I don’t understand:

    Live Traffic shows, that attackers IP was blocked by firewall, during this time period:
    25. 4. 2019 12:33:46
    25. 4. 2019 12:28:59

    but same IP was trying attack (by modifying all our URLs), with 404 result, during this time period:
    25. 4. 2019 12:33:28
    25. 4. 2019 12:31:32

    So does Wordfence really block attacker IP or should it be configured?
    Why this IP was not blocked immediately from 12:28:59 for – let say – 5 days and was allowed to act so much 404 errors?

    Thanks you

    ps: What they were trying to do with this (it was added to end of our urls, it is including our tel. number, that is coded in template like href=”tel:+420774543249″)?:

    /tel:%20420774543249%27%20or%20(1,2)=(select*from(select%20name_const(CHAR(73,83,79,122,81,98,107,120,115,74),1),name_const(CHAR(73,83,79,122,81,98,107,120,115,74),1))a)%20--%20%27x%27=%27x

    • This topic was modified 5 years, 7 months ago by gore.m.
Viewing 4 replies - 1 through 4 (of 4 total)

  • Hey @gorem,

    The Firewall is blocking the requests, not the IP. The modifications of the URLs are a SQL injection attempt that was being blocked by the Firewall. So it’s not that the IPs were being blocked, but that the actual SQL injection attempts were being blocked.

    Please let me know if this helps.

    Thanks,

    Gerroald

    Thread Starter gore.m

    (@gorem)

    Hi @wfgerald
    Thanks you for your reply!
    I see, I didn’t know that.
    If I’m right there is not setting to automatically block that IPs for some time… so is it possible to do it via function?
    Thanks you

    Hey @gorem,

    My apologies for the delayed response. I somehow missed your update.

    You can manually click the IPs if you’d like. But more often than not these are legitimate IPs being used in the attacks. Usually after X amount of time with being unsuccessful they’ll move on. There’s only so much we can do to prevent attacks, it’s more about making sure they aren’t successful, which it sounds like Wordfence is doing.

    Please let us know if anything else comes up.

    Thanks,

    Gerroald

    Thread Starter gore.m

    (@gorem)

    Hi @wfgerald,
    thanks you for your reply. Yes, you are right, but… from my point of view… it would be cool to has a function, to block such IP immediately / automatically, … rather than wait if they will have success :-)… with easy logic: Are you trying to do something wrong here? OK, you are banned/not allowed…

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Does Wordfence really block attackers IP?’ is closed to new replies.