Firewall Sync Is Excesive

  • I’ve been using Wordfence since it came out and is truly an amazing plugin – thanks!

    The new firewall is great, but it’s really killing my server.

    Just one of my sites alone is getting hundreds of calls like this:
    POST /?wordfence_syncAttackData=1460833091.67

    I don’t see any way to disable the firewall or stop this activity. Ideas?

    https://www.ads-software.com/plugins/wordfence/

Viewing 11 replies - 16 through 26 (of 26 total)

  • Digitsoft,
    thanks for sharing your solution!

    maltris,
    what you describe sounds to me like some problem with wp-cron. Check the Wordfence diagnostics page and see if there are a bunch of odd cron jobs stacked up there.

    I am seeing the same issue on our main site, with multiple hits per second sometimes. What exactly is the syncAttackData doing? Is it a core feature or something we can disable? I haven’t checked the logs for all our sites, but the one site that I know is having this issue is also the only one that sees a substantial (for us) amount of malicious activity. We are using 6.1.14 on WP 4.5.3.

    Anyone? I don’t know if it’s WordPress’ new forum sorting order, but after I posted the thread was not listed on the first page or two.

    Hello djason,

    I experienced the same problem, wrote to the mailinglist and got told in a rude way that it was me causing that problem by sending the same answer twice, which was not true. Glad I am not the only one experiencing problems with the forums.

    Apart from that I would be also interested in what exactly that syncAttackData is doing. I noticed a strange pattern where the excessive sync is happening for users that are over-quota so the script cant write anymore and retries over and over.

    Hello!
    syncAttackData moves information about recent attacks on your site from the files where they are first written to your database. This is done to enable you to see recent attacks labelled as attacks in your Live Traffic feed. There will be more of those calls when you have a lot of attacks. It’s a “light” call resource wise and even if you are seeing lots of them at a particular time it should not be negatively influencing your performance.

    SpeakerB

    (@speakerb)

    Hi – I’m getting the same hits on my Live Feed showing that it’s blocked. But it’s my own IP address and it appears to be generated from inside the WordFence Plugin. It started today after I upgraded the plugin. It says “was blocked for Manual block by administrator.” But I had just logged in and hadn’t done anything. I have opened a ticket, but it may be something you need to look at in the new update. As Maltris states 3 months ago, the hits are coming 6-10 seconds apart and my blocked IP feed is scrolling rapidly.
    Thanks! Below is a sampling of the message in the WordFence Live Feed.

    [my data center city], United States left https://xxx.com/?wordfence_syncAttackData=1477521151.375 and was blocked for Manual block by administrator at https://[mywebsite].com/?wordfence_syncAttackData=1477521151.375
    10/26/2016 3:32:31 PM (24 minutes ago) IP: [my IP address] [block] Hostname: xxx.com
    Browser: undefined
    WordPress/4.6.1; https://www.xxx.com

    SpeakerB

    (@speakerb)

    So my question is, then, why is my own IP address blocked? Or are the attacks coming from the datacenter with my own IP address? I’m confused.
    thanks,
    Beth

    wfasa

    (@wfasa)

    Hi Beth,
    When your own IP is showing up in Live Traffic instead of the actual IP that is visiting your site that usually means that you are behind a proxy of some sort. You may have to change the setting for “How Wordfence gets IPs”.

    However, please note that we did have a bug in a previous version that would cause a similar behavior when using X-Forwarded-For and X-Forwarded-For had multiple values. Are you still experiencing the issue since updating to the latest version of Wordfence?

    SpeakerB

    (@speakerb)

    Hi – most of the issues have been solved and my own IP address is not being blocked now, thanks. However it does appear that I’m getting slammed daily by StatusCake, which now fills my Wordfence Live feed from all over the world. So I’ll start a new post on that. They aren’t playing nice…

    Appreciate everyone’s help. Thank you!

    anfieldleung

    (@anfieldleung)

    Hi,

    I got similar issue 

    
Time:	1 mins ago -- Tue, 22 Nov 16 05:36:16 +0000 -- 1479792976.147300 in Unixtime
Secs since last hit:	0.2199
URL:	https://xxx.com/?wordfence_syncAttackData=1479792976.1423
Type:	Normal request
Referrer:	https://xxx.com/?wordfence_syncAttackData=1479792976.1423
Full Browser ID:	WordPress/4.6.1; https://xxx.com
Location:	Singapore Singapore, Singapore
Time:	1 mins ago -- Tue, 22 Nov 16 05:36:15 +0000 -- 1479792975.927400 in Unixtime
Secs since last hit:	0.5753
URL:	https://xxx.com/?wordfence_syncAttackData=1479792975.9166
Type:	Normal request
Referrer:	https://xxx.com/?wordfence_syncAttackData=1479792975.9166
Full Browser ID:	WordPress/4.6.1; https://xxx.com
Location:	Singapore Singapore, Singapore
Time:	1 mins ago -- Tue, 22 Nov 16 05:36:15 +0000 -- 1479792975.352100 in Unixtime
Secs since last hit:	89.9804
URL:	https://xxx.com/?wordfence_syncAttackData=1479792975.2825
Type:	Normal request
Referrer:	https://xxx.com/?wordfence_syncAttackData=1479792975.2825
Full Browser ID:	WordPress/4.6.1; https://xxx.com
Location:	Singapore Singapore, Singapore

    with latest version on WP and Wordfence. I am not using any proxy and it just suddenly appear rapidly since last 2 weeks. Any idea why it keeps requesting itself?

    anfieldleung

    (@anfieldleung)

    After further investigation, it seems Wordfence treat my server’s wp-cron task as a threaten. My cron task should be up and running from day one, why Wordfence suddenly prompt this out and how to fix it?
    Thanks in advance!

Viewing 11 replies - 16 through 26 (of 26 total)
  • The topic ‘Firewall Sync Is Excesive’ is closed to new replies.