[Defender] notification lock out Defender

Hello,

I get at the moment a lot of notifications from Defender:
Hi WPjournalist ,
We've just locked out the host 145.53.9.15 from https://www.wpjournalist.nl due to more than 3 404 requests for the file /amp/apple-touch-icon-152x152-precomposed.png. They have been locked out for 300 seconds.

I don't think these are spammers? How can I solve this?

greetz, Marcel

  • Predrag Dubajic

    Hi Marcel,

    Hope you're doing well :slight_smile:

    The number of requests is really large from that IP, are you sure it's a mistake?
    You can go to Defender Pro > IP Lockouts > IP Banning and whitelist the IP's that you trust.

    However, would you mind granting support access to your site so we can check Defender logs for this IP check why it was blocked?
    To enable support access you can follow this guide here:
    https://premium.wpmudev.org/docs/getting-started/getting-support/#chapter-5

    Best regards,
    Predrag

  • Adam Czajczyk

    Hi Marcel

    You can see Defender lockout logs on "Defender -> IP Lockouts -> Logs" page.

    I checked that and I didn't find many occurrences of that IP. However I found a lot of similar lockouts for different IPs, with the same or similar reasons.

    Since you currently have quite a strict 404 lockout policy (lockout if only 3 x 404 error is hit) it might cause quite an often "false lockout". The main idea of the feature is to prevent malicious bots from "scanning" site over vulnerabilities (it's common that bot goes via various known site URLs and while most of them return 404 Not Found, some might actually "open door" for injecting some code - that's why locking out intensive 404 scans is important) and prevent things like some sorts of DDoS attacks where heavy "404 hitting" might cause the site to overload.

    However, the downside is that if there are actually some issues on the site - like a missing or inaccessible icon file in a theme (and there's sometimes more than one) - it can cause additional, unnecessary lockouts. For example: if there are e.g. 4 images missing on site and you got 3 x 404 error lockout threshold, in some cases even a single visit to the site could cause the lockout (because there'll be 4 times a 404 Not Found status returned and detected). I hope that makes sense :slight_smile:

    So, in that case, I'd suggest reviewing the logs on "Defender -> IP Lockouts -> Logs" page and looking at the list of files that are mentioned there. I think that some (if not all of them) could be fixed. Sometimes that might mean re-installing/updating a theme (AMP theme in that case) but even a simple trick of simply uploading a 1x1 pixel transparent file in a stated location, with a proper name - could solve the 404 issue and as a result minimize the chance of "false lockouts".

    Best regards,
    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.