was blocked by firewall for Known malicious User-Agents

Hi @kristinubute,

Thanks for reaching out. Known malicious User-agents include fake user agents that are often used for malicious activity. An example would be a user agent claiming to be “Mozlila” instead of Mozilla.

This is also why you see URLs being accessed with // in the URL. // doesn’t give them access to a different directory, but depending on what is being run, they may have combined URLs in a way that leads to a //. For example, if they try to access your site as domain.com/ and then try to access /wp-content, by combining those two strings, they’ll visit domain.com//wp-content.

Wordfence is automatically protecting your site by blocking access from these user agents. If you see a lot of access attempts in a short period of time, I recommend making your rate-limiting settings more restrictive. You can read our recommended settings and more details on those here: https://www.wordfence.com/help/firewall/rate-limiting/

Thanks,
Margaret

Thanks for your reply.

What would you normally set this to, for a website that has been maliciously attacked previously on the old website, but now the new website is all brand new, but the bots or attackers are still trying.

I’m not sure what best number to limit it to ?

Thanks

Will this other plugin Blackhole for Bad Bots maybe fix these issues with these dodgy people /bots trying to access this site ?

It could help maybe ?

What are your thoughts in conjunction with your plugin?

Hi @kristinubute,

These sorts of attacks are common and normal. Wordfence is doing its job and automatically protecting your site from these bots, which is why you see a block for their accesses with the reason “blocked by firewall for Known malicious User-Agents.”

Our recommended settings for rate limiting are:

• If anyone’s requests exceed – 120 per minute
• If a crawler’s page views exceed – 120 per minute
• If a crawler’s pages not found (404s) exceed – 60 per minute
• If a human’s page views exceed – 120 per minute
• If a human’s pages not found (404s) exceed – 60 per minute
• How long is an IP address blocked when it breaks a rule – 30 minutes

These settings should be adjusted based on your particular website. For example, if the site is well-configured and normal visitors wouldn’t encounter 404 errors, you could adjust the “pages not found exceed” settings to 30 per minute. There’s details on all of these settings and how best to adjust them for your individual needs here: https://www.wordfence.com/help/firewall/rate-limiting/

Thanks,
Margaret

THanks for your reply.

Sorry I have another question about this.

I also see attempted logins for admin, administrator and other types .. and it only blocks that IP for 4 hours as per my setting.

HOW can I have those INVALID USERNAMES to be BLOCKED PERMANENTLY instead of just 4 hours please ?

There is ONLy an option in your settings to BLOCK INVALID USERNAMES, but it DOESN’T block permanently.

Please advise.

Thanks

ALSO when viewing the LIVE FEED I notice some sites have MANY MORE attempts and 503 in the LIVE FEED compared to other sites. Do the 503 attempts eventually disappear OR I have to keep blocking IP in here ?

YOu mentioned earlier that Wordfence is doing its job by Auto blocking, therefore I don’t need to do anything here?

Is it auto blocking those IP address PERMANENTLY ?

Because when I view, it says Wordfence has blocked, but underneath there is the option to “BLOCK IP” which the systems HASN’T blocked that IP .. therefore I go and CLICK ON “BLOCK IP” individually but that takes forever … And when I do this, it ONLY blocks for 4 hours and NOT PERMANENTLY ..

Please advise and provide me detail that would be great.

Thanks

Hi @kristinubute,

Thanks for following up. The 503 responses in Live Traffic are Wordfence blocking the user’s access. As a web application firewall, Wordfence can’t prevent attackers from accessing the server altogether. Instead, it prevents them from viewing content by returning a 503 response which displays the Wordfence block page. You don’t need to take any action here, as the 503 response is confirmation that Wordfence is doing its job and automatically blocking attacks.

Permanently blocking an IP address manually is typically unnecessary. IP addresses can change over time and it can be time-consuming to maintain a manual blocklist. Wordfence will automatically protect you from known “bad” IPs, user agents, etc.

You can adjust the time of the block in Wordfence > All Options > Firewall Options > Brute Force Protection > Amount of time a user is locked out to have the block last for longer than 4 hours, up to a maximum of 2 months. If you have a lot of users logging into the site, be careful not to set this too high if you don’t want to impact legitimate users.

Thanks,
Margaret

Hi

Thanks for your reply.

Some clients websites have no ecommerce and no-one else logs in apart from me.

This section you mentioned below, is that for ANY logins that are wrong and/or invalid usernames?

As long as it doesn’t block me obviously !

You can adjust the time of the block in Wordfence > All Options > Firewall Options > Brute Force Protection > Amount of time a user is locked out to have the block last for longer than 4 hours, up to a maximum of 2 months. If you have a lot of users logging into the site, be careful not to set this too high if you don’t want to impact legitimate users.

Hi @kristinubute,

Correct, that option specifies how long an IP address is locked out for when Wordfence brute force protection locks them out, which would apply to any of the lockouts listed under the Brute Force Protection options. This could apply to you as well, for example, if you mistype your username, or hit the limit you’ve specified for login failures or forgotten password attempts.

If the site can send emails and you are ever accidentally locked out due to these settings, you can request an Unlock Email from the block page to remove the block. We have a video that outlines this option, as well as some others, here: https://www.youtube.com/watch?v=JnThqkQmPlY

Thanks,
Margaret