Plugin Support
wfmark
(@wfmark)
Hi @maxco7, thank you for reaching out.
Kindly navigate to Wordfence> Firewall > Rate Limiting and check the value you have for “How long is an IP address blocked when it breaks a rule”.
There are two different actions you can choose from when someone breaks a firewall rule. You can “block” them, which immediately removes access from the site for a predetermined amount of time, defined by the setting “How long is an IP address blocked when it breaks a rule”. Or, you can “throttle” them, which means that their site access will be temporarily blocked until they reduce their request frequency to below the limit that you have set.
The option “How long is an IP address blocked when it breaks a rule” controls how long an IP address is blocked if you have set the option to “block”. If you would like to be very aggressive, you can set the duration to 24 hours or longer, but it is important to note that IP addresses are dynamically assigned on the internet. So if you block someone using a certain IP address, they may switch to using a different IP address in a day or two, and a new user who is not engaging in malicious activity but who is now assigned the IP you have blocked may now be prevented from accessing your site if you have set this duration very long.
Hope this helps.
Thanks,
Mark.
@maxco7 Do you use ANY Page caching plugin?
Thread Starter
maxco7
(@maxco7)
Hi, No I am not using a Caching plugin. I have all rate limiting set to block for 30mins (15/minute) – BUT that is not the issue, I am still getting about 100 attacks from the same IP address within a minute (like from the above). I am not understanding why they are not getting blocked after 15th attempt within a minute. Looking in Live traffic to see.
@maxco7 Are those failed attempts/probes a 404? Can you explain better what kind of attacks are they?
Do you have a Google reCaptcha active in login/register?
Thread Starter
maxco7
(@maxco7)
@dimalifragis no I am not using recaptcha. The response is 403. Here is some from today. Although I have rate limiting on everything as per above. I dont understand why they are not blocked after the 15th attempt in 1 minute. I can’t see any other settings that I can tweak to stop it.
Amsterdam, The Netherlands
/admin/upload/ 11/13/2023 10:41:38 AM 13.95.89.80 13.95.89.80 403
Amsterdam, The Netherlands
/wp-diambar/includes/ 11/13/2023 10:41:38 AM 13.95.89.80 13.95.89.80 403
Amsterdam, The Netherlands
/wp-content/uploads/simple-fil… 11/13/2023 10:41:37 AM 13.95.89.80 13.95.89.80 403
Amsterdam, The Netherlands
/wp-content/themes/zakra/ 11/13/2023 10:41:36 AM 13.95.89.80 13.95.89.80 403
@maxco7 I don’t think Wordfence returns ever a 403. It returns a 503 from what i know.
And your sample posted above is not for login, as you say in your 1st post. Those are probes for files that probably do not exist and should return a 404.
Do you run any other security plugin along with Wordfence?
Thread Starter
maxco7
(@maxco7)
Hi @dimalifragis (the 403 was the response listed on Wordfence) Below is the settings I have and a list of some attacks as you can see about 35 in 1 minute but settings are at Max 15. Is is just some of the report it goes on for 100’s. Really appreciate any advice. Thank you.
Enable Rate Limiting and Advanced Blocking: This checkbox enables all blocking/throttling functions including IP, country, and advanced blocking, as well as the “Rate Limiting Rules” below.
ON
Google’s Crawlers Treatment: Verified Google crawlers will not be rate-limited.
Rate Limiting Rules:
General Requests Limit:
If anyone’s requests exceed 15 per minute, block it.
Note: Very strict. May cause false positives.
Crawler-Specific Limits:
If a crawler’s page views exceed 15 per minute, block it.
If a crawler’s pages not found (404s) exceed 15 per minute, block it.
Note: Very strict. May cause false positives.
Human User Limits:
If a human’s page views exceed 15 per minute, block it.
If a human’s pages not found (404s) exceed 15 per minute, block it.
Note: Very strict. May cause false positives.
IP Address Blocking Duration: An IP address is blocked for 30 minutes when it breaks a rule.
Date & Time: 11/14/2023
Location: Eygelshoven, The Netherlands
IP Address: 45.137.203.99
Host: tube-hosting.com
Status: 403 (Forbidden Access)
Access Attempts:
- 5:44:23 AM – /admin/upload/
- 5:44:23 AM – /wp-diambar/includes/
- 5:44:22 AM – /wp-content/uploads/simple-fil…
- 5:44:21 AM – /wp-content/themes/zakra/
- 5:44:21 AM – /wp-content/themes/pridmag/
- 5:44:20 AM – /wp-content/themes/wp-pridmag/
- 5:44:19 AM – /wp-content/themes/twentyfive/
- 5:44:19 AM – /wp-content/themes/thuoc-nam/
- 5:44:18 AM – /wp-content/themes/sketch/
- 5:44:18 AM – /wp-content/themes/rishi/
- 5:44:17 AM – /wp-content/themes/alera/
- 5:44:16 AM – /wp-content/plugins/core-stab/
- 5:44:16 AM – /wp-content/plugins/zaen/inclu…
- 5:44:14 AM – /wp-content/plugins/wpeazvp/
- 5:44:14 AM – /wp-content/plugins/wp-hps/sh/
- 5:44:13 AM – /wp-content/plugins/wp-freefor…
- 5:44:13 AM – /wp-content/plugins/wp-diambar…
- 5:44:12 AM – /wp-content/plugins/Uwogh-Segs…
- 5:44:11 AM – /wp-content/plugins/ubh/
- 5:44:11 AM – /wp-content/plugins/random/
- 5:44:10 AM – /wp-content/plugins/prenota/
- 5:44:09 AM – /wp-content/plugins/owfsmac/
- 5:44:09 AM – /wp-content/plugins/limit/
- 5:44:08 AM – /wp-content/plugins/home/
- 5:44:07 AM – /wp-content/plugins/cekidot/
- 5:44:06 AM – /wp-content/plugins/cakil/
- 5:44:06 AM – /wp-content/plugins/cache-word…
- 5:44:05 AM – /wp-content/plugins/BrutalShel…
- 5:44:04 AM – /wp-content/plugins/aryabot/
- 5:44:04 AM – /wp-content/plugins/linkprevie…
- 5:44:03 AM – /wp-content/ALFA_DATA/alfacgia…
- 5:44:03 AM – /ubh/
- 5:44:02 AM – /cekidot/
- 5:44:01 AM – /cakil/
- 5:44:00 AM – /cache-wordpress/
Plugin Support
wfmark
(@wfmark)
Hello @maxco7,
Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.
Thanks again!
Mark
