Wordfence blocks its own server IP

Which version are you on? Did you update to 5.3.11?

tim

Yes, I updated Wordfence this morning.

Were you running falcon caching? If so, can you ftp to the server and look for the wfcache folder in wp-content and see if there is a .htaccess file there?

tim

There is currently no caching active on this site.

Right, but I was asking about previously when you had wordfence activated.

There was no caching active on the site when Wordfence was active.

Its really hard to troubleshoot without having the plugin active. Version 5.3.8 is available here:
https://www.ads-software.com/plugins/wordfence/developers/

Would you remove the wordfence folder completely and try installing this version, then seeing if it works?

tim

5.3.8 works. 5.3.11 does not. Will not let you run scan for sites that plugin has been upgraded and will not issue an API key for new installations.

For what it’s worth, I’m seeing a massive increase in bogus login attempts today (Thursday 4/9/15).

For me, both 5.3.8 and 5.3.11 now give the same result. It takes the site offline.

Ok, apparently Wordfence is blocking the site based on traffic coming from the IP of the proxy for the hosting service. Very annoying.

They say the REMOTE_ADDR and HTTP_X_FORWARDED_FOR have been set correctly, but apparently the plugin does not check for REMOTE_ADDR correctly.

I can give you more info on the server settings by mail if you want. I have whitelisted the proxy IP in Wordfence now, but that also means that attacks might be more successful as it won’t block them based on the server they came from.

Help greatly appreciated.

Having the same issue all of a sudden. I host 10 sites on a Media Temple DV server, and after upgrading Plesk to version 12.5 yesterday, suddenly all sites have Wordfence issues. Most initially were “blocked as fake Google crawler”. I disabled that setting across the board, yet a few sites just kept coming up as blocked.

Looking .htaccess I could see the server IP itself was blocked. Delete that line and I get a “blocked by login security setting” error, which requires me to use the email feature to log back into WordPress. I have had to do this on the same site a dozen times. I finally added the server’s IP to the “whitelisted IP” field in the Options page.

In summary: the only change was the Plesk upgrade. All sites suddenly had the “fake crawler” error. Once that was corrected, all sites using Falcon Engine caching (5) continue to block the server’s IP, while the other sites (5) where I use W3 Total Cache did not have that issue at all. Definitely related to Falcon engine.

@focus97: Usually if you are being blocked, and the reason shows rules that your own IP didn’t break, that means that Wordfence can’t see your actual IP, so all visitors appear to come from a single IP. Are your sites using any reverse proxy, such as Varnish or nginx? (CloudFlare can cause the same issue, except the blocked IP would belong to CloudFlare, rather than the server itself.)

If using a reverse proxy, you will need to set the “How does Wordfence get IPs” option on the Options page. Depending on what software you are using, you will probably need to choose the X-Real-IP or X-Forwarded-For option. More details on the options are here:
How does Wordfence get IPs

After setting the option, you can verify it is working by looking at the Live Traffic tab, and visiting the site in a separate browser where you are not logged in, and verify that your own IP appears in your own visits. (If Live Traffic is disabled, try logging in using the second browser, since logins and logouts are still recorded.)

Let me know if this helps, or if you still have any trouble.

-Matt R

Thanks Matt R. I am indeed using nginx as reverse proxy, so perhaps that’s what was causing it. The strange this is that we’ve never had an issue on the server – only after the latest Plesk upgrade did Wordfence start tripping up. I’ll try the newer IP detection method and will also remove the server’s IP from the list of addresses that bypass all rules (that was the only way to keep Wordfence working while not having me and clients locked out).

Ok, great. Maybe Plesk changed something in the default configuration that was previously fixing the remote_addr before it reached WordPress/Wordfence. Thanks for following up!

-Matt R