WordFence causing queries overload or Using a blocked ip address??

Hi,

The 198.143.56.1 IP belongs to Incapsula, a service that is probably included in your hosting package. On the Wordfence options page, I think you can use the Incapsula plugin to restore the correct visitor IP address. (If that does not help, you can set “How does Wordfence get IPs” in the top section of the Wordfence options page, to the option that says “X-Forwarded-For” or “X-Real-IP”, and then check if the correct IP appears after saving the settings.)

Definitely don’t block 198.143.56.1 how the host suggested — that could block all traffic trying to visit your site (or a large portion of it), since it is directed through Incapsula.

I think the eigbox.net reference in the emails appears because of the way the host has set up their mail service — I have seen that a couple times before, and that should be ok.

When you see the install page while just trying to use your site, that usually means that your host severely restricts the number of database queries your site can run, and cuts off your site’s access to the database once the limit is hit. Most hosts don’t do that, and it is hard to avoid using the database often on a modern WordPress site.

You could try to decrease Wordfence’s database usage by turning off “Enable automatic scheduled scans” (but you would lose the security provided by the scans), and you could set “Update interval in seconds (2 is default)” to 10 or 20 seconds, which will slow down Wordfence admin page updates, but does not harm security.

-Matt R

Hello again,

I appreciate your help very much. I followed your advice and what I see now is that may be after latest WF update, or may be due to these recent changes that I have made WordFence stopped notifying of Admin Login.

Why is this and What can I do to fix this issue?

Thank you in advance

Liliana

Hello again,

Sorry to be back with the same issue but I found something that may be related to this issue and would like to have it clarified. This is related to the Firewall Rules. I have the following settings:
How should we treat Google’s crawlers Verified Google crawlers have unlimited access
If anyone’s requests exceed: 960 per minute then throttle it
If a crawler’s page views exceed: 960 then throttle it
If a crawler’s pages not found (404s) exceed: 60 then throttle it
If a human’s page views exceed: 60 then throttle it
If a human’s pages not found (404s) exceed: 60 then throttle it
If 404’s for known vulnerable URL’s exceed: 30 minutes every 2 seconds then throttle it
How long is an IP address blocked when it breaks a rule: 30 minutes

What brings confusion to me is that in another website of my own these settings except how to treat Google-s crawlers are set Unlimited and then throttle.

Please advice me if I need to make changes in any of these sites

Thank you again and regards.

Hi Liliana,

For the admin login notices — are you able to receive any emails from Wordfence on that site? If you’re not sure, you can try the “Send a test email from this WordPress server to an email address” box at the bottom of the Wordfence options page.

The rules that you have set look ok, and in most cases should not block legitimate traffic, as long as the visitors’ IPs are coming in correctly. If you view the Live Traffic page and see your own IP for your own visits now, then that should be fine. (Visits aren’t logged by default when you are logged in as an admin, so you can visit the site in a different browser without logging in, to see new traffic from your own IP — or log out, view some public pages of the site, and then log back in.)

-Matt R

Hello Matt and thank you for your reply.

I am following your instructions

A) SEND TEST EMAIL
I have sent a test email to my email address and the result was True. However, the test email never arrived in my inbox nor in my spam folder.

B) From Live Traffic page, I see that I am logged in. Please note that I am in Buenos Aires, my IP address starts with 181.28. and what strikes me is that Wf says I am logged in from USA with the
ip address that was causing the overload queries, which is Hostname: 198.143.56.1.ip.incapdns.net

EMAIL ALERTS OF ADMIN LOGIN AND PROBLEMS FOUND
I am no longer receiving alerts of this site reflecting when I am logged in, nor I am receiving the emails advicing of problems found and including a list of plugins to update.
Please let me know what I should do to. Interestingly enough, I have another wp site set up within the same domain, The WordFence settings are the same, and I do receive these alerts. Also, I appear to be logged in with the same USA ip address, Hostname: 198.143.56.1.ip.incapdns.net.

C) Regarding where you wrote: you can visit the site in a different browser without logging in, to see new traffic from your own IP — or log out, view some public pages of the site, and then log back in., please notice that Live Traffic is disabled

Again, your advice most appreciated

Best regards

Liliana

Hi Liliana,

Sorry for the delay — back to the 3 issues:

A) The “True” result means that WordPress (not just Wordfence) thinks it sent an email successfully — since you haven’t received it, I think you will need the host to help. Usually, they will have logs of emails that were sent (or not sent), and reasons they failed.

B) Have you already set the “How does Wordfence get IPs” option to the choice that says “X-Forwarded-For”? Since your site is using Incapsula, this should normally cause Live Traffic to show your own IP, whether it’s just the “Logins and Logouts” or the full Live Traffic feature. If you’ve already set the option can you also turn on “Disable config caching” near the bottom of the Wordfence options page, and then check the Live Traffic page again after logging out and back in? (The missing emails are also related to item A above.)

C) Ok, in this case, just logging out and logging in should be enough to check — the method of getting IP addresses is the same for this and for the full Live Traffic.

-Matt R

Hello Matt and thank you so much for your reply.

Really this is curious. Since my last post, and while I was waiting for your message, I haven′t made any changes to the settings and the system apparently went back to normal because I am now receiving the notifications and the admin login alerts. So actually, now I don′t know what I should do with the settings. So far the settings I have are:

1)How does Wordfence get IPs—————>Let Wordfence use the most secure methot to get visitor IP addresses. Prevents spoofing and works with most sites

2)Disable config caching—————> not clicked (PLease be adviced that I have Zen Cache as a cache plugin) So if you would clarify as to which settings are most convenient I would be so much grateful

Sorry for the confusion.

Best regards

Liliana

Hi Liliana,

Ok, that does sound likely to be an email filter issue either at your hosting company or where your email account is. If it fails again or only seems to work intermittently, I would recommend contacting the host.

If the IP addresses for visitors seem to appear correctly on the Live Traffic page, you can leave that options as it is. If they still say “incapdns” in the hostname, then I think you’ll still need to change it to X-Forwarded-For or X-Real-IP.

“Disable config caching” can be left as it is too. You can turn it on if you do have any additional problems. It’s separate from caching plugins, so it should only affect Wordfence settings.

-Matt R

Hello Matt,

Thank you so very much again.

I will be paying close attention to the issues you just pointed out.

It was good to know that Config caching is separate from other caching plugins, thanks for this comment too

Best regards

Liliana