Wordfence Not Blocking Country or IP

It should be noted that they are now hitting my website about every hour now. I am loathe to pay for a product and then have to reach out to my provider to manually lock the IP down or do it myself in htaccess as why would I pay for something to do that in the first place.

Hi

Sorry you are having issues with the plugin. Let’s see if we can help. I understand people that try to login , guessing at usernames, can be a pain. I have several sites I manage and one gets about 600+ attempts every day! (side note: the usernames I see used can be pretty amusing at times) To say it’s annoying is a vast understatement.

I’m not sure without looking at your settings why its not blocking that country or ip. I know country blocking comes with this warning at the bottom : Note that we use an IP to country database that is 99.5% accurate to identify which country a visitor is from so I guess that could account for that part but it seems doubtful. There is a setting on the options page to disable config caching that you might try but I’m not sure if that will help or not. Can you try that? If it doesn’t work then I’ll give you an email and perhaps you can set up and account for us to look.

I wanted to take a second and address a comment you made in the first post about us not taking a ticket generated from a woman seriously. We like to think of our company as diverse and the users of our product diverse as well. I think you will notice if you looked here that we have customers from all walks of life, nationalities, and genders. We treat everyone with respect and strive to exceed customer expectations when it comes to service. Please don’t think that your ticket is not being addressed because of something like that. I’m sure, if anything, it’s merely because it is the weekend. I handle the forums here but I know the people that are on staff for the tickets. Someone will be on it soon, I’m sure.

Let me know if config caching doesn’t work and I’ll give you the email so I can look at the settings for anything else.

Thanks!

tim

Appreciate the reply. I reiterate the fact that I manually blocked the IP and that didn’t work. My lock out is set for 60 days and they breached that 15 times already. And the Country Blocking is set as well. I additionally set the Editor-in-Chief as an auto block and that didn’t work. Matter of fact, below you will see they attempted to access even as I wrote this:

This alert was generated by Wordfence on “Foreclosurepedia” at Saturday 6th of September 2014 at 05:51:49 PM
The Wordfence administrative URL for this site is: https://foreclosurepedia.org/wp-admin/admin.php?page=Wordfence

A user with IP address 213.97.128.187 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 3. The last username they tried to sign in with was: ‘Editor-in-Chief’
User IP: 213.97.128.187
User hostname: 187.Red-213-97-128.staticIP.rima-tde.net

Right, Did you try unchecking the config caching option I mentioned?

Thanks

tim

I reply here because I get a notice from no reply. I would send credentials, but I won’t post them on here nor do I think you are asking me to.

Nothing is cached anywhere I can find. Nor have they ever been. On the options page, there is nothing for cache. On the performance page I tried it once way back when it first came out and it jacked with my Live Chat so it has been off since then. Using REMOTE_ADDR in the How it gets IPs

Matter is closed. Refund issued.

Use this plugin Lockdown WP Admin
Hide your https://web.com/wp-admin page
You can replace the wp-admin by the name you want

Thanx. Wordfence is one of these unique platforms that keeps on giving. So, after I uninstalled the Platform, I continue to get Wordfence alerts on the same IP Address from Wordfence as seen below. Mark Maunder stated that my girlfriend insulted his staff and issued a refund check for $39. Would appear that this is to prevent any need to fix an obviously bug ridden platform. Now, we have not just the original issue I presented with, but a plugin that keeps on giving like the Energizer Bunny. That generally becomes the problem when you swap customer service for profit IMHO. **Should be noted that the Plugin is Uninstalled.

This alert was generated by Wordfence on “Foreclosurepedia” at Sunday 7th of September 2014 at 11:24:35 AM

The Wordfence administrative URL for this site is: https://foreclosurepedia.org/wp-admin/admin.php?page=Wordfence

A user with IP address 213.97.128.187 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 3. The last username they tried to sign in with was: ‘Editor-in-Chief’
User IP: 213.97.128.187
User hostname: 187.Red-213-97-128.staticIP.rima-tde.net

Many people here use Wordfence without any issues. We’re sorry that you obviously have. If you are still getting emails from an uninstalled plugin you might do well to check your mail queue. The emails might just be stuck there, after a bot brute force attack and trickling out. Here’s info on that.

https://www.pc-freak.net/blog/list-mail-queue-qmail-sendmail-postfix-exim-smtp-server/

tim

Yeah, I thought about that and then I remembered why I use Google Apps. As I use Google Apps which makes Google Servers my Servers, for want of better words, I wrote Google and posted in their forums. The post you refer to deals with emails which are self hosted. More on point, though, as I had previously set all the proper conditions with respect to the blocking of logins after 3 failed attempts to 60 days, it would be rather moot. Additionally, the timestamps are indicative that either this is one of the most sophisticated attacks ever created in that it has tricked both my Servers on the site and the Google Servers, or this is a Wordfence problem. A simple scan of my site reveals that your Founder revoked my paid license and I uninstalled the program. 11 of these Wordfence alerts over the past 23 hours, though, is ironic at best.

I agree that many people use Wordfence and have no issues. Some people use Wordfence and have issues and don’t post. Then some folks, like myself, have issues and document them.

I appreciate your reply and believe we are able to deduct that this is not the problem. So, there appears to be two issues at hand. The first is directly related to the second. Now, I wrote to my hosting provider, TMD Hosting, and am having them investigate the issue as well. It is concerning, at best, though that Wordfence is not only removed and the SQL tables gone, and I continue to get the emails.

Google apps doesn’t handle the emails that your server sends out. You likely have postfix or sendmail installed on the server your website is hosted on. This is what sends the emails out. Google apps is for your personal email, like [email protected]. This mail queue is what they need to look at.

tim

Sent this, word for word, to TMD. I will respond back with their answer, but it would still not explain how the 3 strikes and your banned for 60 days; the Country IP ban and the Editor-in-Chief username as an automatic ban were all circumvented. This is really what I am driving at. The problem lies there whereas what I am experiencing now is an inconvenience.

Don’t get me wrong, I appreciate the breakdown of and understand how the server pulls the info from Wordfence and uses an internal mailserver to send to my personal email. And because I want all the answers to put the entire picture together, I am pursuing that. If, though, there is a problem, I believe in exploring the genesis of it.

I will post back when they reply.

Below is their email to me. So, I think it best to use 1953EDT 07SEP14 as a baseline. If nothing else comes through, then the second part of the matter is resolved. The first part is not of my affair as I no longer utilize the plugin so it is moot to me.

Thank you for responding and giving some suggestions to issues. If nothing else perks through, I would believe that the issue is resolved.

I have double checked the server mail queue and I can confirm that there are no emails waiting to be sent from your account. However it is entirely possible that some emails might have been kept in the outgoing queue and they might have been delivered after the reported plugin removal.

However as the queue is clear now there should be no such future emails generated from your WordPress website.

Below is the raw original email header. There is a definite problem. Wordfence is initiating, somehow, these alerts. Ran it by TMD as well.

This alert was generated by Wordfence on “Foreclosurepedia” at Sunday 7th of September 2014 at 07:29:21 PM
The Wordfence administrative URL for this site is: https://foreclosurepedia.org/wp-admin/admin.php?page=Wordfence

Delivered-To: [email protected]
Received: by xxxxxx with SMTP id xxxxx;
Sun, 7 Sep 2014 17:29:25 -0700 (PDT)
X-Received: by xxxx with SMTP id mc9mr28xxxxxxxx136164452;
Sun, 07 Sep 2014 17:29:24 -0700 (PDT)
Return-Path: <[email protected]>
Received: from mxx.tmdhosting.com (mxx.tmdhosting.com. [19xxxx2])
by mx.google.com with ESMTPS id f8si941xxxicz.73.2014.09.07.17.29.24
for <[email protected]>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Sun, 07 Sep 2014 17:29:24 -0700 (PDT)
Received-SPF: none (google.com: [email protected] does not designate permitted sender hosts) client-ip=198.143.161.162;
Authentication-Results: mx.google.com;
spf=neutral (google.com: [email protected] does not designate permitted sender hosts) [email protected]
Received: from new.tmdhostingxx.com ([xxxx0.114] helo=nodexx.tmdhostingxx.com)
by mxxx.tmdhosting.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.82)
(envelope-from <[email protected]>)
id 1XQmpe-0002Gy-Bi
for [email protected]; Sun, 07 Sep 2014 19:29:24 -0500
Received: from foreclos by node01.tmdhosting810.com with local (Exim 4.80.1)
(envelope-from <[email protected]>)
id 1XQmpe-002nc8-0t
for [email protected]; Sun, 07 Sep 2014 19:29:22 -0500
To: [email protected]
Subject: [Wordfence Alert] foreclosurepedia.org User locked out from signing in
X-PHP-Script: foreclosurepedia.com/wp-login.php for 213.97.128.187
Date: Mon, 8 Sep 2014 00:29:21 +0000
From: WordPress <[email protected]>
Message-ID: <[email protected]>
X-Priority: 3

A user with IP address 213.97.128.187 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 3. The last username they tried to sign in with was: ‘Editor-in-Chief’
User IP: 213.97.128.187
User hostname: 187.Red-213-97-128.staticIP.rima-tde.net

—
To change your alert options for Wordfence, visit:
https://foreclosurepedia.org/wp-admin/admin.php?page=WordfenceSecOpt
To see current Wordfence alerts, visit:
https://foreclosurepedia.org/wp-admin/admin.php?page=Wordfence

Sorry. At this point I have no idea, especially if you have removed the plugin and folders, and you said there wasn’t anything in the database from us. Caching and mail queues were the only things I could think of. As the plugin is off your site and we have refunded your money for stated reasons, there doesn’t seem to be anything left for us to do.

Good luck in your future endeavours. I wish I had something else to give you.

tim