Google Project Shield

Hi @foreclosurepedia, thanks for your question.

Whilst there are ways of automatically blocking IPs that attempt to access?a list of pages/paths on your site, there would be no way of then opening that page back up to your IP range without also exempting the range from all other Wordfence rules; which can be dangerous.

There are?.htaccess?changes that could help give the desired result, although we’re unable to support anything outside of the Wordfence plugin going forward:

https://www.ads-software.com/support/article/brute-force-attacks/#limit-access-to-wp-login-php-by-ip

https://stackoverflow.com/questions/4400154/deny-all-allow-only-one-ip-through-htaccess

Thanks,
Peter.

I appreciate such a quick reply! I am currently running Wordfence and have for some years now. So, obviously I want to deploy Project Shield in conjunction with Wordfence. My theory is that it is similar to how Cloudflare works. They are a reverse proxy, by statement and definition which is why I stated that NTP is enabled and Use the X-Forwarded-For HTTP header is selected referencing my Wordfence settings. I presume they are correct (but do not know) and still do not know if their IPs should be added into the Trusted Proxies in Wordfence.

I will forward this to Project Shield and look forward to your reply and will post theirs, regardless. As it is a Google Project, I believe it has significant value not only to journalists such as myself, but the entirety of the internet based upon the ability to learn from the data traffic itself, much like Wordfence.

Below was the reply from the Google Lead Engineer. Do you have suggestions how to deploy this within Wordfence, sans the .htaccess file? Both are currently running; however, the “locking down of the IP addresses” so to speak has not begun as it still reads no firewall protection deployed on the Google side.

“The guidance for the firewall rules is intended to protect your origin from direct attacks. The location of your origin is discoverable information, so attackers could hit it directly and bypass Shield.

All of your legitimate traffic should now be passing through Project Shield. Therefore, you should be able to block everything that is not Shield from reaching your origin. If you also want to allow some other Wordfence IPs at their recommendation, that’s ok – blocking most of the rest of the internet is still a clear improvement to the safety of your server.

We advise you to do this for any page that is publicly accessible – not just your login. You want to block access to any page an attacker could hit. Unfortunately we are not able to assist directly with your origin setup. I can say that a .htaccess file is a common method of doing this kind of blocking, and those articles look like the right information.

Lastly, we do want to reassure you that you already have a lot of protection without taking this last step. This is a recommended step, but not required.”