• Resolved guckmada

    (@guckmada)


    Hi,

    i blocked for example digitalocean.com (66% abuse) but wordfence does not block this. Your advice for digitalocean.com is https://docs.digitalocean.com/glossary/network-size-range/ => this is a 404 error page.

    For example vmi490679.contaboserver.net (100% abuse) tries to get access to admin. My rule Hostname – *.contaboserver.net does not work.

    There a more domains like this (contabo.com, ovh.com, microsoft.com, *.bc.google.coom, ionos.com) that try to get access to wordpress admin. First i don′t think that these companies really want to hack any WordPress site, but on the other hand i think the companies don′t know about the bad image that this behavior is producing a lot of bad external impact and loosing trustness to customers.

    How can i get rid of those without blocking the whole domain?

    Best regards and THANK YOU

    guckma

    • This topic was modified 4 months, 4 weeks ago by guckmada.
    • This topic was modified 4 months, 4 weeks ago by guckmada.

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support wfmargaret

    (@wfmargaret)

    Hi @guckmada,

    The DigitalOcean page was moved to this address I believe: https://docs.digitalocean.com/glossary/network/

    Generally, we consider a manual blocking regime unnecessary as it can be time consuming to keep up with current URLs and IP ranges etc. Wordfence should protect you from known “bad” IPs, User-Agents etc. and now considers the intent of a human/bot by the pages they’re trying to visit (and how) the most important factor when blocking.

    To have more control over the automatic blocks, I recommend reviewing the options at Wordfence > Firewall > All Firewall Options > Brute Force Protection.? Here, you can configure the login failure limit and how long the user is locked out.? If you’re the only user logging into the site, you can also enable Immediately lock out invalid usernames to immediately lock out someone who attempts to log in with an invalid username.

    Which IPs matching the Hostname block pattern are slipping through the block rule? Are you seeing any successful blocks on IPs with a matching hostname?

    Thanks,
    Margaret

    Thread Starter guckmada

    (@guckmada)

    Hi Margaret,

    thank you for your answer! I configured Wordfence as you wrote and set “Lock out after how many login failures”?on “2”. Reading the Life traffic files shows me that there a some humans/bots that tried more then 2 time to log in. How can this happen?

    Best regards

    guckmada

    Plugin Support wfmargaret

    (@wfmargaret)

    Hi @guckmada,

    Thanks for reaching out. I wanted to advise you that once a topic on our forums has gone more than 2 weeks without a response, we typically stop monitoring it. Please make sure to start a new topic if you want to follow up on anything in the future so your response doesn’t get missed.

    Regarding the attackers that can try to log in more than 2 times, what time period is that over compared to what you have configured? For example, let’s say your brute force settings are configured to count attempts over 4 hours. If an attacker only tries to log in once every 3 hours, they wouldn’t be blocked.

    The lockout time can also be a factor. If the time they’re locked out is configured to be only 30 minutes, then they would be unblocked after that time and could try again.

    These two settings can be found in Wordfence > Firewall > All Firewall Options > Brute Force Protection under Count failures over what time period and Amount of time a user is locked out. Be careful not to make these settings too strict if you have multiple people logging into your dashboard.

    Best regards,
    Margaret

    Thread Starter guckmada

    (@guckmada)

    Hi Margaret,

    settings for Lock out after how many login failures: 2

    Lock out after how many forgot password attempts : 2

    Count failures over what time period: 10 minutes

    Amount of time a user is locked out: 2 months

    The multiple Log-ins (Domain.xyz/wp-login.php) are not shown in Logins/Logouts. They are shown in All hits.

    1 IP trying multiple times (30.9.2024) to lock into admin more than 20 times.

    So i think the settings are ok. Or i am wrong?

    Thanks for your support!

    Best regards

    guckmada

    • This reply was modified 1 month, 3 weeks ago by guckmada.
    Plugin Support wfmargaret

    (@wfmargaret)

    Hi @guckmada,

    You have it configured so that the failures are only counted over a period of 10 minutes. If the login attempts are over a longer period of time (such as once every 20 minutes), they wouldn’t be locked out.

    You mentioned the logins are only being shown under All Hits. If a bot visits the login page without attempting to log in or requesting a new password, it won’t be recorded as a failed login attempt.

    Let me know if either of those cases don’t apply. It might help to see screenshots of the Live Traffic. If you have a specific time when a bot is bypassing the rules you’ve set, please email me screenshots of the expanded Live Traffic entries to wftest @ wordfence . com. Include your forum username in the subject and let me know here once you’ve sent that!

    Thanks,
    Margaret

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.