Manually entered IPs not being blocked

Hi @aeealaska, apologies for the delayed response! I see you need help with permanently banning an IP address.

Could you let me know if the IP address of the attacker is the same each time? Are you receiving a Site Lockout notification of their attacks?

Also, please send a screenshot of where you added the ban, as well as the “Raw Details” of the recent logs that indicate their attack attempts, found in Security > Logs > All Events.

I look forward to hearing from you!

Thank you for your reply. I truly appreciate the response!

However, it pains me to report that I have found a workaround that I tested this holiday weekend, but I am pleased to report it worked.

The workaround :

Using the “Add Many” interface, I added the IP verbatim then copied and pasted the IP but this time I replaced the last two octets with wildcard characters and saved.

It would appear the two-fisted approach, so to speak, is effective in ensuring those involved stay banned. My attacks plummeted from an average of 800 per day before the holiday weekend to 6 so far today. I theorize it was a “script kiddie” using a bot-net to attack our site, which explains a lot of the attack being so sustained, but generally all launching from the same IP address.

Even so I rarely, if ever, receive Site Lockout notifications.

Once again, thank you very much for the response!

@aeealaska, it’s great to hear that your workaround using wildcard for banning IPs helped reduce the number of attacks! It would seem that the IP addresses of the attacks change each time, and each attempt does not reach the lockout/ban threshold, which is why you do not get Site Lockout notifications. You could try lowering the Ban Threshold (Security > Settings > Global Settings) and the Max Login Attempts (Security > Settings > Configure > Lockouts > Local Brute Force).

Please also check your Security Logs and view the “Raw Details” of the attacks to know where they are coming from. If it shows that the attacks are coming from the xmlrpc.php?file being accessed, I’d suggest disabling your XML-RPC via Security > Settings > Advanced > WordPress Tweaks > API Access – but please first make sure that your site is not using any plugin/service that requires XML-RPC access.

Hope this helps!

Thank you again for your reply!

I cannot agree the attacks were changing every time. Obviously, it’s not practical to enter 800 IPs at a shot so I crafted a script that would take the IP data (which I copied and pasted to an Excel spreadsheet) then getting busy removing the duplicates and dumping the output to a text file. That’s how I first caught on – out of about 800 IPs and filtering the duplicates, I would have between 100 – 200 unique IP addresses left.

Lather, rinse and repeat the next day.

I kept noticing the same IPs popping up over and over and over again. So, back to the bit farm to massage the script. Now it generates two text files for me – one list has the IPs with duplicates removed, the other essentially is just a copy of the first list with the wildcards inserted.

One short “Add Many” session later, and PRESTO !

It seems by adding both in I get a ban list with teeth that actually bans a given address. The proof is in the pudding in that my graph is now a vertical line going down, instead of going up.

That being said I tossed caution to the wind, spit in the eye of danger, and put on my laugh-in-face-of-certain doom pants and tightened up the settings you mentioned to a point just this side of draconian. Then I settled in with a cup ‘o joe, my #2 pencil and Big Chief notebook to observe and record what happens.

Like Adam Savage said, kiddies – the difference between science and screwin’ around is writin’ it down! ??