Inaccurate IP detection accompanied by brute-force attack
-
Hi there,
Over the past few days, I’ve gotten an increasing number of “User locked out from signing in” messages, all with the same IP address. But when I went to block it, I realized that WordFence identified it as my IP address. It’s not my IP address. I tried accessing from another IP address, and again, WordFence recorded it as the same incorrect IP address. (In case it is helpful, the IP address WordFence is consistently identifying is 173.236.11.190.)
I tried changing the IP detection method, but no option yields any other result. Every time, it identifies my IP address as the 173 one.
WordFence says it blocked over 25,000 brute-force attacks today, all from this same IP. I don’t know whether this was a real attack, or whether it’s a glitch in the plugin. Stopped seeing new login attempts after I changed the IP detection method a couple times, but it’s now right back where it started (REMOTE_ADDR). Don’t know if the cessation of activity was related, or a coincidence.
Final (possibly relevant) bit of information: While WordFence was misidentifying my IP as of yesterday, it wasn’t until today that I got an error message from it that was unable to accurately detect IPs. After I switched IP detection methods around, the alert disappeared . . . despite the fact that the detection method is right back where it started.
I’ve perused the forums and help pages, but haven’t been able to find anything that’s helped in this particular situation. I’d appreciate any advice you can offer.
Thanks in advance for your time and help!
-
So trying to get this straight between both your responses. The 4 hours+ it took us the other day on behalf of our client that we can’t bill for. No one is going to pay hundreds of dollars for an IP issue that might have been a false positive, yet that client wouldn’t have the experience to ask some of the right questions and be concerned when they got notifications from Wordfence their site could be vulnerable.
What really caused this? At this point it sounds like a SiteGround ip redirection strategy or application that didn’t go so well, not a Wordfence issue. Never really getting to an answer here. Just got explanations from Siteground chat agents, supervisors and escalation team over and over again that SiteGround had nothing to do with it. Wordfence seems to say their plugin wouldn’t generate that warning from any sort of caching issue.
@hristo-sg Glad it will soon be over, but I’d really like a straight answer on this because it had a very negative impact. I’d like to keep all our agency clients at SiteGround.
@hristo-sg
As we stated several times, our client did receive your initial notification and did change the A record ASAP, but after 4 days the problem still occurred even after full, successful propagation until we persistently addressed it with SiteGround technical support. Only then was the problem resolved.Our client never experienced a brute force attack or a false one, just the IP detection. Wordfence seems to stand by it was not caused by their plugin caching. Both myself and another user could verify that. So your redirection being basic or not causing an additional load is totally irrelevant in our situation.
We’ll chalk it up as an internet mystery since we both have better things to do. Hopefully SiteGround will smooth out a bit after the transition to Site Tools away from CPanel, migrating to Google Servers, problems with SpamExperts server clusters, etc. SiteGround has still been the best hosting experience we’ve had moving away from Endurance owned hosting brands.
- The topic ‘Inaccurate IP detection accompanied by brute-force attack’ is closed to new replies.
