Is Site Under Attack by Spoofed IPs or From Behind VPN?

The latest examples (highlighted) of the same username coming from different supposed countries only seconds apart:

“The last username they tried to sign in with was: ‘Support‘.
“The duration of the lockout is 2 months.
User IP: 13.237.17.8
User hostname:?ec2-13-237-17-8.ap-southeast-2.compute.amazonaws.com
User location: Sydney, New South Wales, Australia“

(2) “The last username they tried to sign in with was: ‘Support‘.
“The duration of the lockout is 2 months.
User IP: 52.66.170.70
User hostname:?ec2-52-66-170-70.ap-south-1.compute.amazonaws.com
User location: Mumbai, India“

And then I get a report about all the IPs blocked by country.

Hi @starapple, thanks for your questions.

If you believe any of these attempts are legitimate users we recommend that online stores, or sites that handle many user logins have strict settings such as Wordfence > All Options > Brute Force Protection > Immediately lock out invalid usernames turned off.

You can also check if IP detection on your site is working properly to see whether blocks intended for malicious activity are also affecting legtimate visitors. Take note of your own IP – (note that this detection can sometimes not be 100% accurate on cellular phone network connections): https://www.whatsmyip.org. Then head over to Wordfence > All Options > General Wordfence Options > How does Wordfence get IPs and reference the area under that section that says Detected IPs and Your IP with this setting. See if any of the options there when picked accurately reflect your IP. If one does, don’t forget to hit the SAVE CHANGES button in the top-right after you’re done.

If the above options seem to be fine, seeing many access attempts such as this, especially if there seems to be no logical reason can be frustrating, but is actually quite a normal occurrence. You might find the following blog post interesting: https://www.wordfence.com/blog/2018/03/ask-wordfence-why-is-an-insignificant-site-like-mine-being-attacked/

Wordfence, as an endpoint firewall cannot stop a bot or human from trying to visit your website altogether, but rather deal with the visits appropriately based on your settings, and their behavior. If you’re noticing many of these are spam registration/sign-in attempts, having reCAPTCHA enabled should dramatically reduce amount of username submissions as shown in your Live Traffic examples above.

Let me know how you get on!
Peter.

Thanks for your suggestion @wfpeter. I will add the reCAPTCHA presently. I believe it is one person working his butt off trying to gain entry because of the frequency of the usernames in each cycle of attacks. They change their IP but give each username a few tries.

I’ll read that article because I ask myself the same question.

Mark.

No worries, best of luck going forward @starapple.

If you have further Wordfence questions in future by all means start up a new topic and we’ll be glad to help out.

Peter.