IP Address Blocked But Now Getting Through??

  • Hi There,

    I have been getting 3 IP address constantly trying to access my WP Admin, thankfully using the wrong username, about 2 weeks ago I manually blocked these 3 IP address which stopped the access, however, for the last week or so they have been getting through, I have re-added them manually but I am still getting email reports that they are still attempting to access the site.

    Its like Wordfence has stopped blocking them. How can I get them blocked again??

    Thanks.

    Best regards

    https://www.ads-software.com/plugins/wordfence/

Viewing 12 replies - 1 through 12 (of 12 total)

  • Hello jalno1,
    you can see which IP-addresses are blocked under “Blocked IPs” in the Wordfence menu. Do you see the IP-addresses you wanted to block there? There is a link next to every blocked IP there that says “[block permanently]. If you click that the IP will continue to be blocked until you manually remove it.

    Thread Starter jalno1

    (@jalno1)

    Hi wfasa,

    Thank you for your reply.

    I have already blocked these IP addresses and they are still in the list as blocked, however, I am getting around 10 to 12 emails a day from WF through my site telling me these 3 IP address are still attempting to ‘sign in’ using different usernames.

    When I first added these IP address I wasn’t getting any notifications from WF but now they seem to either be bypassing the security settings or something so I’ve started getting the email messages again, very strange!!

    Thanks

    Hello again jalno1,
    could you paste in the alert message you are receiving here? You can remove any identifying details from it (like IP-address). I just want to see which alert it is you are getting. Thanks in advance!

    Thread Starter jalno1

    (@jalno1)

    Hi there,

    Here is the email notification I get.

    This email was sent from your website “xxxxxxxxx Internet Marketing” by the Wordfence plugin at Sunday 10th of April 2016 at 03:45:25 PM
    The Wordfence administrative URL for this site is: https://www.xxxxxx.org/wp-admin/admin.php?page=Wordfence

    A user with IP address 46.148.18.162 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username ‘admin’ to try to sign in.
    User IP: 46.148.18.162
    User hostname: 46.148.18.162
    User location: Republic of Lithuania

    This is just one of many from just 3 or 4 ip addresses that are constantly trying to gain access, I have manually blocked these ip’s but they are still able to try, I get at the very least 10 to 12 emails a day from these.

    This sort of thing is apparently not an uncommon problem. It seems that some bad actors can bypass certain IP blocks when they just want to go for the login. Same with server FTP login as well, BTW. First time I read my server logs, I wept.

    https://www.ads-software.com/support/topic/block-direct-access-to-wp-loginphpactionregister?replies=2

    I’ve had 100% success using WPS Hide Login plugin to obfuscate the WordPress login URL. This is one of the most important features Wordfence doesn’t have, in my opinion. Only thing wrong with WPS Hide Login is you can’t rename wp-login.php but have to leave it sitting there on your server. Lame.

    MTN

    Thread Starter jalno1

    (@jalno1)

    Thank you MountainGuy I will certainly give this a try, at the moment the 3 three IPs getting through mostly are using ‘admin’ as the user name or my domain as the user, thankfully I use neither ??

    Thanks for your help!

    Hello jalno1,
    you can also add the username “admin” and your domain name under Wordfence options “Immediately block the IP of users who try to sign in as these usernames”. Of course they will only be blocked for as long as you have specified in the setting “Amount of time a user is locked out”.

    I’ve added ‘admin’ and a whole range of other usernames to my list of users that should be immediately blocked under this Wordfence option but they’re not being blocked immediately. They’re all allowed three attempts to login before they’re blocked. Since three is the maximum number of login attempts anyone is allowed, seems to me that this “Immediately block the IP…” option isn’t working. Or I’m missing something in terms of setting it up.

    Hello lgsm52,
    if you check the database table called “wfHits” and locate those attempts are they all landing within the scope of one second?

    I’m sruggling to identify those specific hits from all the other activity that’s recorded on wfHits. Of the ones I’ve looked at, there are none that suggest consecutive attempts within the space of one second.

    The emails that notify me of attempted logins and their subsequent blocking very definitely record larger intervals than one second – although that’s the interval between one IP address trying and then another trying with the same username; not the interval between a single users three attempts.

    Hello again lgsm52,
    via PhpMyAdmin if you view the table you can choose to sort it by ctime (the timestamp). This way you would be able to see if there are multiple hits within one second. Check out this example. I’m just asking this for debugging purposes. Let me know if you can see it. Thanks in advance!

    Thanks wfasa. I appreciate your input. Just want to let you know that I’m on the road for the next few days so won’t be able to try this until next week.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘IP Address Blocked But Now Getting Through??’ is closed to new replies.