Wordfence does not block advice rules

Hi @guckmada,

The DigitalOcean page was moved to this address I believe: https://docs.digitalocean.com/glossary/network/

Generally, we consider a manual blocking regime unnecessary as it can be time consuming to keep up with current URLs and IP ranges etc. Wordfence should protect you from known “bad” IPs, User-Agents etc. and now considers the intent of a human/bot by the pages they’re trying to visit (and how) the most important factor when blocking.

To have more control over the automatic blocks, I recommend reviewing the options at Wordfence > Firewall > All Firewall Options > Brute Force Protection.? Here, you can configure the login failure limit and how long the user is locked out.? If you’re the only user logging into the site, you can also enable Immediately lock out invalid usernames to immediately lock out someone who attempts to log in with an invalid username.

Which IPs matching the Hostname block pattern are slipping through the block rule? Are you seeing any successful blocks on IPs with a matching hostname?

Thanks,
Margaret

Hi Margaret,

thank you for your answer! I configured Wordfence as you wrote and set “Lock out after how many login failures”?on “2”. Reading the Life traffic files shows me that there a some humans/bots that tried more then 2 time to log in. How can this happen?

Best regards

guckmada

Hi @guckmada,

Thanks for reaching out. I wanted to advise you that once a topic on our forums has gone more than 2 weeks without a response, we typically stop monitoring it. Please make sure to start a new topic if you want to follow up on anything in the future so your response doesn’t get missed.

Regarding the attackers that can try to log in more than 2 times, what time period is that over compared to what you have configured? For example, let’s say your brute force settings are configured to count attempts over 4 hours. If an attacker only tries to log in once every 3 hours, they wouldn’t be blocked.

The lockout time can also be a factor. If the time they’re locked out is configured to be only 30 minutes, then they would be unblocked after that time and could try again.

These two settings can be found in Wordfence > Firewall > All Firewall Options > Brute Force Protection under Count failures over what time period and Amount of time a user is locked out. Be careful not to make these settings too strict if you have multiple people logging into your dashboard.

Best regards,
Margaret

Hi Margaret,

settings for Lock out after how many login failures: 2

Lock out after how many forgot password attempts : 2

Count failures over what time period: 10 minutes

Amount of time a user is locked out: 2 months

The multiple Log-ins (Domain.xyz/wp-login.php) are not shown in Logins/Logouts. They are shown in All hits.

1 IP trying multiple times (30.9.2024) to lock into admin more than 20 times.

So i think the settings are ok. Or i am wrong?

Thanks for your support!

Best regards

guckmada

• This reply was modified 1 month, 3 weeks ago by guckmada.

Hi @guckmada,

You have it configured so that the failures are only counted over a period of 10 minutes. If the login attempts are over a longer period of time (such as once every 20 minutes), they wouldn’t be locked out.

You mentioned the logins are only being shown under All Hits. If a bot visits the login page without attempting to log in or requesting a new password, it won’t be recorded as a failed login attempt.

Let me know if either of those cases don’t apply. It might help to see screenshots of the Live Traffic. If you have a specific time when a bot is bypassing the rules you’ve set, please email me screenshots of the expanded Live Traffic entries to wftest @ wordfence . com. Include your forum username in the subject and let me know here once you’ve sent that!

Thanks,
Margaret