robertrel234

PS – so now I have just experienced a “blocked by Wordfence Security Network” that needed to be blocked manually so as I suggested the auto blocking still seems “temperamental” or I am doing something wrong

Also there was a typo above — it should have read what is set out below

I note that for now I am seeing wordfence block all these different attempts whether by “blocked for Accessed a banned URL” or “blocked by Wordfence Security Network”

(not I note that for now I am seeing wordfence block all these different attempts whether by “blocked for Accessed a banned URL” or “blocked for Accessed a banned URL”)

Follow up I have been watching what is happening on live traffic and it seems that maybe there is an issue with determining if a blocked URL is accessed by an IP address

It seems that in wordfence

1. if the ip address goes straight to the blocked URL – then it is deemed to have accessed the blocked URL and is immediately blocked with the message “blocked for Accessed a banned URL”
2. if the ip address first goes to say https://www.xyz.com/xmlrpc.php and then to a blocked URL it is not considered as accessing the blocked URL

In my case I notice that after entering the site via /xmlrpc.php the IP address is allowed 5 additional attempts to access a non existent URL before being blocked.

I believe this is because I have set under option “If a crawler’s pages not found (404s) exceed: 4” per minute then block it

I note that for now I am seeing wordfence block all these different attempts whether by “blocked for Accessed a banned URL” or “blocked for Accessed a banned URL” and I have not needed to manually block the ip after the message “blocked by Wordfence Security Network” or “blocked for Accessed a banned URL” comes up as I was experiencing in some cases yesterday and previously (this may just be a temporary result)

It may be there is a hole in the word fence code that means if an ip address accesses a non existent URL having already arrived at the web site via an existing page the the non existent URL feature is not used to verify subsequent page requests

If I am correct this would seem a simple thing to rectify either

A. in the code for checking if a URL is blocked or by
B. adding an option to check each URL request however it is sent to determine if it is a blocked URL and if it is immediately block it

Whats going on seems pretty strange

I am getting a series of messages in live traffic for IPs trying to access the same address for a non existent URL

The messages are

1. “blocked for Accessed a banned URL”
2. “blocked by Wordfence Security Network”

3. There are not many messages related to “blocked for Accessed a banned URL”
(Accessed is the spelling used – i have just copied and pasted)

4. I cannot see any difference between the events related to the 2 different messages but the subsequent blocking process appears to be different
5. “blocked for Accessed a banned URL” seems to trigger an immediate blocking of that ip address no more instances of attempted access from that ip address are shown
6. “blocked by Wordfence Security Network” seems to allow a number of additional attempted login before they cease in live traffic
7. “blocked by Wordfence Security Network” doesnt always generate a blocked report in live traffic even though the IPs trying to access the same address for a non existent URL
8. I manually block the ips that have triggered the “blocked by Wordfence Security Network” but not reported blocked in live traffic
9. I am a bit concerned that ips dont always show up in the blocked ips report even when blocked by wordfence automatically or me manually

Any feedback from wordfence on what i might be doing wrong etc ?

PS – I want to add something to my last post

1. after I finished the previous post I looked at live traffic and found that a non-existent URL accessed from the USA and triggered the live traffic message “was blocked by Wordfence Security Network” and the IP address was automatically blocked by wordfence

2. I looked back over the blocked ips reports (which also gives the reason and action taken and by whom) and found on another occasion an IP address from New Zealand accessing the same non-existent URL triggered the message “was blocked by Wordfence Security Network” but the IP address was manually blocked by me (that is reported under the blocked ips page that I manually blocked it)

So there was an inconsistency even though the same non existent URL triggered the same initial response “was blocked by Wordfence Security Network” the ip address was blocked automatically in one case and not in the other case

Both incidents happened within a few hours of each other

I guess its possible that there was something I had done to the settings – but I dont recall doing anything that should have caused there to be 2 different out comes

I will see what else comes up in live traffic and post it when i have time

I dont see the same as mountainguy2 – i do see it blocking URLs that dont exist – it happened while I was writing this

But I have to say I am not really that clear on whats being reported in live traffic and what makes somethings get blocked and others not get blocked even though both incidents in live traffic get a message saying “was blocked by Wordfence Security Network”

Comment

May be I am missing something but this is what I see

I can see wordfence live traffic reports and blocks ip attempting to login via a non-existent URL
but

Looking at this further I see the following

1. the live traffic report

i. first reports a location/city/country then advice if it [the location(?)] “was blocked by Wordfence Security Network”
ii.secondly it then blocks the ip address that comes after the message (“was blocked by Wordfence Security Network”) if a flag has been triggered

5. if a specific flag isnt triggered then live traffic report leaves the ip addressed unblocked but allows manual blocking of the ip by clicking og the word block in the live traffic report

Summary

It seems that

A. if the unrecognized URL trap is triggered the ip is blocked
B. if something else has triggered the message “was blocked by Wordfence Security Network” to be activated in live traffic then the ip is not necessarily blocked

Question

Could somebody clarify whats going on and how to automatically block any ip address once the message “was blocked by Wordfence Security Network” comes up in live traffic

https://docs.wordfence.com/en/Wordfence_options?utm_source=plugin&utm_medium=pluginUI&utm_campaign=docsIcon#Immediately_block_IP.27s_that_access_these_URLs

Immediately block IP’s that access these URLs

You can enter a URL that does not exist, for example: /vulnerabilityLivesHere

Then if someone tries to access that URL they are instantly blocked. You have to specify a relative URL, in other words it must start with a forward slash.

Hi

I think I have found there is an existing feature already that does most of what I asked for above

Thanks

https://docs.wordfence.com/en/Wordfence_options?utm_source=plugin&utm_medium=pluginUI&utm_campaign=docsIcon#Immediately_block_IP.27s_that_access_these_URLs

Immediately block IP’s that access these URLs

This allows you to set a kind of trap for bad guys. You can enter a URL that does not exist, for example: /vulnerabilityLivesHere

Then if someone tries to access that URL they are instantly blocked. You have to specify a relative URL, in other words it must start with a forward slash. It also must be a page that does not exist on your website. Wildcards (*) can be used, if there are visits to multiple bad URLs. For example, if there are visits to /badpage-one/ and /badpage-two/, then entering /badpage-*/ will block both.

We only recommend this feature if you are trying to catch a specific hacker and block them or if you are trying to catch hackers that are trying to exploit a known vulnerability or page on your site.

Hi

I am seeing the same thing

I think whats happening is the path can be accessed and the ip address isnt blocked until it enters a false name/password and the fail frequency required is reached

As no false name/password can be added via the invalid URL there is no ip block triggered because no no false name/password has been entered to trigger the block

I think the solution is to have the option to Block IP addresses that repeatedly submit and invalid path or phrase – say to login via any URL with “/wp-login.php” when it (“/wp-login.php”) doesnt exist

The trigger phrase/url/etc and number of attempts allowed would be set by the user in a table

It would also be useful to be alerted if an ip address is repeatedly attempting to access a non existent URL or the same non existent URL is being requested by different ip addresses

Suggested Features to Add

1. a feature that allows the user to add path or phrase or words – for example “/wp-login.php”

so that if it (“/wp-login.php”) appears in any request to the site that triggers wordfence to

i. automatically block the originating ip address or
ii. block after a certain amount of attempts

2. a flag that tells you when an ip address is repeatedly requesting an invalid URL or phrase or words etc and an option to add that URL etc to the table above

3. a flag that tells you when different ip addresses are repeatedly requesting the same or similar invalid URLs paths or phrases or words etc and an option to add that URL etc to the table above

thanks

Hi Paul

Any thoughts on the last post on a negative bar chart

Thanks

Kind regards
Robert

Hi Paul

I had an idea – could you tell me if its possible to do ?

I would like to create a bar chart

1. with just negative data
2. where the negative bars fall and
3. where price goes 0, -1,-2,-3,-4 etc

Currently the negative prices rise up

The final chart would look like something in the link below – but just will negative values

https://www.andypope.info/charts/Invertneg.htm

and the dates or values would be either at the top or the bottom of the chart

Below this post is some code for a negative bar chart – but as you will see the negative values go up towards the top of the chart from zero

Thanks
Robert

<span style=”text-decoration: underline;”>NEGATIVE VALUE BAR CHART (blue) Vs OTHER IDENTICAL TEST DATA (orange) </span>

[wp_charts title="barchart"
type="bar"
align="alignleft"
margin="5px 20px"
datasets="-10.0,-10.2,-7.3,-12.0,-11.6,-15.9,-15.1,-13.1,-19.0,-16.4,-19.5,-14.6,-17.0,-13.1,-19.3,-13.1,-13.7,-13.6,-14.5,-11.9,-13.3,-12.7,-13.2,-13.1,-14.8,-13.2,-14.2,-17.49 next next
-10.0,-10.2,-7.3,-12.0,-11.6,-15.9,-15.1,-13.1,-19.0,-16.4,-19.5,-14.6,-17.0,-13.1,-19.3,-13.1,-13.7,-13.6,-14.5,-11.9,-13.3,-12.7,-18.2,-13.1,-14.8,-13.2,-14.2,-17.49" 

labels="Dec-12,Jan-13,Feb-13,Mar-13,Apr-13,May-13,Jun-13,Jul-13,Aug-13,Sep-13,Oct-13,Nov-13,Dec-13,Jan-14,Feb-14,Mar-14,Apr-14,May-14,Jun-14,Jul-14,Aug-14,Sep-14,Oct-14,Nov-14,Dec-14,Jan-15,Feb-15,Mar-15" 

scaleoverride="true"
scalesteps="9"
scalestepwidth="-2"
scalestartvalue="0"
scaleFontSize="16"
canvaswidth="920px"
canvasheight="460px"
relativewidth="2"
width="920px"
height="460px"]

 
 
 
<p style=”text-align: justify;”> For further Information on bar charts see – Paul van Zyl</p>

<!–nextpage–>

Hi Paul

Thanks for the update – it might be a simple charting library but I think its very good

I appreciate your time and efforts

Kind regards
Robert

Hi Paul

Sorry to bother you – just wondered if the was a solution to my bar chart query of a few days ago ?

Thanks

Robert