Increased attack rate but cannot block IP

Hi @neverpaintagain, thanks for getting in touch.

Seeing 127.0.0.1 entries could be down to IP detection being incorrect for visitors to your site in the Wordfence settings. The reason you can’t block that address is because it usually signifies the “localhost” address for your own computer/server so you’d likely be blocking your site from itself by doing so.

When IP detection is wrong, a legitimately triggered block for somebody else may affect all visitors including yourself. Take note of your own IP on your main device: https://www.whatsmyip.org.

Head over to Wordfence > All Options > General Wordfence Options > How does Wordfence get IPs and reference the area under that section that says Detected IPs and Your IP with this setting. See if any of the options there when picked accurately reflect your IP. If one does, don’t forget to hit the SAVE CHANGES button in the top-right after you’re done.

If you need to allow any proxies or read more about the appropriate headers to pick, scroll down a short distance to “How does Wordfence get IPs” here: https://www.wordfence.com/help/dashboard/options/#general-wordfence-options

Let us know how you get on,
Peter.

Hi thank you for your reply. My IP address is already listed under “Allow listed IP addresses that bypass all rules” in the options screen. The strange thing is the offending IP address in my original post is acting like a spambot, and wordfence is blocking it when it tries to access all sort of weird urls that do not relate to my site. Each time it hots it is listed in “live traffic” as

“An unknown location at IP?127.0.0.1?was?blocked by firewall for Known malicious User-Agents?“

….and a WHOIS search tells me this………

NetName: SPECIAL-IPV4-LOOPBACK-IANA-RESERVED
NetHandle: NET-127-0-0-0-1
Parent: ()
NetType: IANA Special Use
OriginAS:
Organization: Internet Assigned Numbers Authority (IANA)
RegDate:
Updated: 2013-08-30
Comment: Addresses starting with “127.” are used when one program needs to talk to another program running on the same machine using the Internet

Comment: Protocol. 127.0.0.1 is the most commonly used address and is called the “loopback” address.

So from one point of view it appears to be harmless and from another point of view it looks and behaves just like a spambot so am very confused, and advice would be helpful.

Hi @neverpaintagain,

It appears your issue may be caused by either a corrupted database or an improper server setting. To fix your issue, please perform one (or all) of the following:

1. Perform a clean-install of Wordfence
2. Re-install WordPress
3. Try this solution (i.e., contact your host)
4. Try this solution (i.e., repair your wp_options database table)

Best wishes!

Can I just confirm @neverpaintagain if you’d already tried the “How does Wordfence get IPs” method in my previous post with no change as well as allowlisting your own IP? We don’t usually recommend doing the latter unless you have a fixed IP, so would be sure it’d not be reassigned to anybody else as this allows the bypass of all Wordfence checks on your site. Are you blocked if your IP isn’t listed there?

Thanks,
Peter.

Hi @neverpaintagain,

We’ve seen a few other cases of this now where customers haven’t changed their Wordfence settings. Not all customers are seeing connections from this IP, so we’re looking into the possibility of server configuration, hosts, plugins or server software/firewalls recently being updated or having their settings changed.

It would assist us to see access logs and diganostics from around the time some more of these 127.0.0.1 entries are next seen. You can send any access log exports and a downloaded diagnostic TXT from Wordfence > Tools > Diagnostics to wftest @ wordfence . com. Just make sure to put your forum username in the subject line and let us know here when you’ve sent them so we can take a look.

Thanks again,
Peter.

Thank you to all who replied, I appreciate the advice. However for some reason the phenomenon has stopped and has not returned but i will keep an eye on it