• Resolved mrjgardiner

    (@mrjgardiner)


    Today I received a bunch of e-mails from our followers who couldn’t access the site. They were getting the message that they were locked out by the “Login Security Setting.”

    I checked the blocked IP’s by the login security and noticed that “255.255.255.255” was blocked with hundreds of hits. I unblocked this IP and noticed legit traffic started pouring in from it.

    An unknown location at IP 255.255.255.255 visited https://gospelebooks.net/
    2 minutes ago IP: 255.255.255.255 [block]
    Browser: Safari version 0.0 running on iOS
    Mozilla/5.0 (iPhone; CPU iPhone OS 8_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B410 Safari/600.1.4

    I think the fact that this IP got blocked affected a bunch of people. Any idea why there are so many unknown location 255.255.255.255 visits? What can I do to make sure this doesn’t happen again?

    I’m using the old 5.3.8 version of this plugin as my WordPress is 3.6.1 and I can’t update that due to the site changes. I noticed the latest versions of WordPress say I need version 3.9 or higher so I never upgraded. But once again, the issue only appeared today.

    https://www.ads-software.com/plugins/wordfence/

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author WFMattR

    (@wfmattr)

    There might be something your host has changed that is changing how Wordfence sees visitors’ IP addresses. If you are using a reverse proxy (or if you’re not sure if you are or not), can you check the setting “How does Wordfence get IPs” on the Wordfence Options page?

    I don’t remember if your version of Wordfence has it, but also on the options page, look for a link that says “Click to view your system’s configuration in a new window” near the bottom of the options. Click it, and scroll to the bottom of that (very long) page, and look for these two items in the last table:
    _SERVER[“HTTP_X_FORWARDED_FOR”]
    _SERVER[“HTTP_X_REAL_IP”]

    If those appear, and have IP addresses other than 255.255.255.255, that will determine which option to set above.

    Even if this fixes it, I still recommend getting WordPress and Wordfence updated to the latest versions as soon as you can, even if you need to find a developer to help. Eventually something on the site will stop working, and the site may not be safe from many attacks.

    Thread Starter mrjgardiner

    (@mrjgardiner)

    Thanks for the reply.

    Under “How does Wordfence get IP’s” it says:

    “Let Wordfence use the most secure method to get visitor IP addresses. Prevents spoofing and works with most sites.”

    “If those appear, and have IP addresses other than 255.255.255.255, that will determine which option to set above.”

    They do have different IPs. Not the 255 one.

    So what do I do, I’m constantly being hammered with login requests from someone on this 255.255.255.255 address. I’m sure I get 50 failed login attempt emails from this person every day. I can’t ban the IP as other people end up getting affected.

    When I look under live traffic I see lots of other IP addresses.

    Plugin Author WFMattR

    (@wfmattr)

    Ok, in your Wordfence Options, for “How does Wordfence get IPs”, you’ll need to choose one of these options:

    If you use CloudFlare, choose the last option, which says “CF-Connecting-IP”

    If you don’t use CloudFlare, choose the one that says “X-Real-IP”.

    Then check your Live Traffic, and see if visits have the correct IP. The fastest way to check is to visit from another browser where you’re not logged into WordPress — that visit should have your IP address. (If you’re not sure what your public IP is, you can google “my ip” to verify it.)

    Thread Starter mrjgardiner

    (@mrjgardiner)

    I do use Cloudflare. I tried both and refreshed the live traffic each time. Same thing, most IP’s show but still some 255’s.

    See screenshots:

    CF-Connecting: https://www.dropbox.com/s/dyd5lvdeu1pxa63/Screenshot%202015-07-29%2008.12.57.png?dl=0

    X-Real-Ip: https://www.dropbox.com/s/og4cuh8472735kt/Screenshot%202015-07-29%2008.16.07.png?dl=0

    Here’s the login attempts: https://www.dropbox.com/s/rinc6cs9k9vlp0h/Screenshot%202015-07-29%2009.41.41.png?dl=0

    Plugin Author WFMattR

    (@wfmattr)

    Ok, it sounds like the only solution is to update WordPress and Wordfence. The dev team mentioned that this could be caused by traffic from IPv6 addresses, which were not supported by the old version of Wordfence that you are using.

    WordPress 3.6.1 also has known vulnerabilities, so it really is critical to update — even if you need to pay a developer/designer to fix the site layout and such, it will probably not cost as much as trying to recover after the site is compromised.

    Thread Starter mrjgardiner

    (@mrjgardiner)

    Upgrading WordPress is not an option at this time.

    Is there any version of Wordfence above what I have that you think may work with 3.6.1 or is guaranteed to not work?

    Plugin Author WFMattR

    (@wfmattr)

    I’m sorry, but updating is really the only safe option. A newer version of Wordfence might seem to work, but still cannot protect an old version of WordPress correctly.

    Thread Starter mrjgardiner

    (@mrjgardiner)

    I appreciate the information. Just to let you know I did fix the problem.

    Here’s what I did. As you suggested I kept: “CF-Connecting” then on Cloudflare I enabled “Pseudo IPv4” and selected “Overwrite headers”.

    That says it adds an IPv4 header to requests when a client is using IPv6, but the server only supports IPv4.

    So now I see everyone with a unique address. Am I safe to ban these offending IP addresses now? Just want to ask since I’m not really super familiar with this IPv4, IPv6, Pseudo IPv4 stuff.

    Plugin Author WFMattR

    (@wfmattr)

    I’m not familiar with CloudFlare’s pseudo-IPv4. Since there are many more possible IPv6 addresses, they can’t make a unique IPv4 address for every possible visitor, so you might still have other real visitors blocked by blocking certain IP addresses. Remember that even if you can ban them, there are other security risks from running old software — I hope you can get everything updated soon!

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Legit Website Followers blocked (IP 255.255.255.255)’ is closed to new replies.