Blocking doesn’t work as it should

Resolved crazyhamster
(@crazyhamster)

1 year, 7 months ago

Hello, I have a problem.
The plugin doesn’t block IP after an attempt to access a forbidden URL

PHP requests are processed prior to running.
https://ibb.co/FzZW82n

There is a list of URLs that should lead to blocking
The blocking period is 2 hours.
https://ibb.co/MV6w5f4

In live traffic, the plugin indicates that access to the requested URL is blocked, but requests continue from the same IP
https://ibb.co/QN1c85N
https://ibb.co/tDyzhwr
https://ibb.co/WpxZsQQ

So I get a load on the server. I would like to note in advance that I already have very strict rate limits. Am I doing something wrong?

Viewing 3 replies - 1 through 3 (of 3 total)

Plugin Support wfmargaret
(@wfmargaret)

1 year, 7 months ago

Hi @crazyhamster,

Thanks for reaching out.

In your access logs, a 503 is being returned. This is the Wordfence firewall at work blocking the attacker. When optimized, the Wordfence Firewall will significantly reduce the resources used by each blocked request made to your site.

However, as a web application firewall, while Wordfence can prevent access to the site content, it can’t prevent bad actors from accessing the server altogether. Consider implementing a firewall or DoS mitigation service before the server to prevent the attacker from hitting the server altogether.

Please let me know if you have any questions!

Thanks,
Margaret

Thread Starter crazyhamster
(@crazyhamster)

1 year, 7 months ago

Then what does the rule mean: blocking the IP for two hours (in my case), when trying to access the list of forbidden URLs? It’s supposed to work like a honey pot, doesn’t it?

So the plugin doesn’t have the capability to automatically add an IP to the blacklist in case of violation of the rules? Error 503 doesn’t solve the problem of attacks.

Plugin Support wfmargaret
(@wfmargaret)

1 year, 7 months ago

Hi @crazyhamster,

If you’re receiving true DDoS, or at the very least a huge increase in attempted page views, protection at the server’s end such as Cloudflare (as one example) should be the most effective solution. I say this because Wordfence is an endpoint firewall, so can catch/restrict/block users using Brute Force or Rate Limiting settings after PHP loads but, when optimized, before the point your site tries to host content to them. Restrictions therefore are possible, but it can’t stop the requests from initially hitting your site, even if it ends up blocking them.

Think of the visitor’s journey through various layers of protection. When they reach your server, they’ll first pass the server firewall, then they’ll access the web server, and then request a specific page. When they request the page, Wordfence will then be loaded, review the visit, and determine a response. In this case, it returns a 503 response (the Wordfence block page) to block the visitor. It’ll continue to return a 503 response every time it sees a visitor from the blocked IP until the block expires.

While Wordfence is effective at blocking unwanted visitors and preventing malicious activity on the site, it can’t prevent them from reaching the web server in the first place. Instead, it serves a block page that stops access to your content and unwanted actions. To block unwanted traffic at the outset, a server-side solution is essential, as it screens traffic before it reaches your web server.

Please let me know if you have any questions,
Margaret

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Blocking doesn’t work as it should’ is closed to new replies.