Increased Attack Rate: Blocked for Known malicious User-Agents

  • Resolved diegora

    (@diegora)


    1 year, 5 months ago

    Sometimes I receive emails reporting “Increased Attack Rate. Blocked for Known malicious User-Agents”. It’s usually the same IP and happens overnight. If Wordfence is detecting this same IPs (would change from day to day but usually the same IP or a couple in the same day), why don’t it just blocks the IP permanently instead of blocking attack by attack? Or can I make Wordfence do this from the Options? I don’t feel it’s very safe to just wait for an attack to block it if I already know the IP is malicious, why don’t just block the IP permanently or at least for a few hours or days?

Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @diegora, thanks for your question.

    If you find that IPs weren’t blocked for the times set in Wordfence > All Options > Brute Force > Amount of time a user is locked out and Wordfence > All Options > Rate Limiting > How long is an IP address blocked when it breaks a rule?, it’s because some WAF rule blocks aren’t assigned a block expiration time. These in turn never appear on the Firewall > Blocking page for you to review either.

    Wordfence, as an endpoint firewall cannot stop a bot or human from trying to visit your website altogether, but rather deal with the visits appropriately based on your (and our) settings/rules, and their behavior. It’s perfectly normal for Wordfence to deal with these as they occur, especially when the firewall is optimized, as no site content will be served beforehand. Also, IPs are frequently reassigned, so that’s why we wouldn’t permanently block them by design and just deal with the visit(s) in that moment.

    Generally we consider a manual blocking regime unnecessary as it can be time consuming to keep up with current URLs and IP ranges etc. However, if your site is being hit many times from one specific IP over and over, I can see why you’d want to stem the flow yourself. You can permanently set an IP block yourself in the Wordfence > Blocking page.

    Thanks,
    Peter.

Viewing 1 replies (of 1 total)
  • The topic ‘Increased Attack Rate: Blocked for Known malicious User-Agents’ is closed to new replies.