Why does WordFence still block attacks when Websavers provides built-in firewalls? Print

Problem Description

To ensure our Web Application Firewall (WAF) is enabled: Login to Plesk > Under the correct website, look for the "Web Application Firewall" button and click it. Here it will display if your WAF is enabled.

WordFence, or another firewall/security system alerts you to IPs blocked, recent attacks, and failed logins. Yet you've got the WAF enabled in Plesk. Shouldn't the WAF take care of all of these for you?

Note: you can replace the name WordFence with any website security solution; they all work in roughly the same manner.

Problem Resolution

Here's a few reasons why WordFence will report blocks that our WAF hasn't (yet) blocked:

1. WordFence operates within WordPress itself and so it has access to more detailed information than our WAF can access, such as specific WP usernames, when they last logged in, and specifics about your website code. This means it has more context in which to block bad actors sooner. Once WordFence blocks the IP the bad actor no longer can attempt failed logins, and so our WAF can no longer detect failed attempts from the user.
2. Our WAF allows hundreds of failed login attempts before blocking the IP, whereas WordFence is configured by default to allow about 1/5 that amount. It does this because multiple failed login attempts mean the user does not actually have your password, and so they're attempting to bruteforce your website's login system by trying every possible password in sequence. Unless you're using a password that's easily guessable like "password" (which WordPress doesn't even allow), it's going to take millions of login attempts to successfully bruteforce your password, and our WAF will kick in before that many attempts are tried.
3. It's far more common for WordFence to incorrectly block legitimate actions (called false positives) than it is for our WAF, so it's possible some of these actions it's reporting on were not actually attacks.
4. WordFence likes to show you every single possible intrusion because it makes you more likely to pay for their pro version

As a result of this, it can be normal to find WordFence reporting on login failures many hundreds of times per IP. As our firewalls adjust to new botnets, typically those numbers will increase and decrease over time.