My site is IP blocked by Defender

Yes, our website pern*******ieuws.nl keeps being IP blocked even though our IP is in the whitelist. Right now, though, if I try to access it using my mobile in 4G it also shows me the message that it's blocked. So I don't know if it's blocked everywhere...

And this issue happened a few times before.

  • Adam Czajczyk
    • Support Gorilla

    Hello Gemini Design

    I hope you're well today and thank you for your question!

    The "lockout" can happen for various reasons but since the IP is white-listed, there's no lockout in logs and the "lockout message" has gone away after clearing Hummingbird cache, I would expect that there's some sort of "cache conflict". What I mean is that in some cases if there's both a page cache active (via some plugin such as Hummingbird or W3 Total Cache or any other) and there's also some sort of cache on server - these can interfere leading to unexpected issues.

    I think the server you're hosting on is a VPS, right? I'm not sure if you're managing it on your own or if it's a "managed VPS" but it would be good to start with checking if there is any server-side caching active and what kind of it, then trying to purge and disable it temporarily if possible to see if that sorts out the issue.

    You might need to get in touch with your host to check this but it's something that should be checked first. If there's no cache or it turns out that it doesn't affect the issue, I'll include our developers in the case so they could check the site and diagnose the issue in order to fix this.

    Let me know about the cache, please.

    Kind regards,
    Adam

  • Adam Czajczyk
    • Support Gorilla

    Hi Gemini Design

    Thanks for response.

    After reviewing Defender logs again carefully I noticed that there are multiple failed login attempts logged with usernames of two existing users ("gem..." and "Per....") from an IP of 5.1X.XX.5 (you can see full IP in logs). It seems to be located in Russia.

    But neither this IP, nor the usernames used are banned so even if there's some sort of "attack attempt" going on, you should still be able to log-in unless your current IP is blocked or the HB cache is indeed "running wild" on site.

    That being said, I would like to actually check the cache additionally and run some checks of IP detection on the server. I'd need to access the site via at least FTP though and the credentials that you shared during the chat doesn't seem to work for me - my connection is refused even though the FTP client seems to be connecting to the host. Do you have any additional security settings for FTP - like e.g. country blocking or something similar (I'm in Poland)? If so, could you temporarily disable it so I could access the FTP please?

    Kind regards,
    Adam

  • Gemini Design
    • WPMU DEV Initiate

    Hi Adam,
    Thank you for checking in our issue. The FTP logins are correct but we have an IP whitelist for accessing via FTP. If you could send me your IP address I can get it whitelisted within an hour more o less.

    Thanks again for your help.
    Best regards,
    Gemini

  • Adam Czajczyk
    • Support Gorilla

    Hello Gemini Design

    Thank you for your response and I apologize for such a delay. I didn't manage to get back to you on the same date and then the support forum was under maintenance over the weekend so we temporarily had no access to it. I'm sorry for keeping you waiting.

    My IP currently is 83.9.47.200 but I must say that I'm not sure for how long it will stay that way. It's dynamic and sometimes it stays the same for months sometimes it changes more than once a day upon router restarts (e.g. if there's a connectivity issue or firmware update pushed). But let's give it a try if there's no other way.

    Just confirm here, please, once it's white-listed.

    Kind regards,
    Adam

  • Adam Czajczyk
    • Support Gorilla

    Hello Gemini Design

    Thank you. I'm afraid though that my IP didn't last long enough. It's different now and unfortunately I have no way of predicting when will it change again - it might be in a week or two, it might be in a few minutes from now :slight_frown:

    Anyway, let's for now try something different. Could you please:

    - download attached .zip file, extract it to your local drive
    - upload the "fetch-ips.php" file from inside the zip to the "/wp-content/mu-plugins" folder of your site's WordPress install
    - create some new page or post on the site (it may be private or a draft, as long as you can preview it)
    - put this shortocode on it:

    [test-ips]

    - check that page
    - check which of the lines is/are showing your current IP correctly? I'm asking about the text before the IP address (e.g. REMOTE_ADDR, HTTP_FORWARDED and so on).

    Let's start with that then :slight_smile:

    Best regards,
    Adam

  • Gemini Design
    • WPMU DEV Initiate

    Hi Adam,
    Sorry for the late answer. I missed the notification of your message...
    I've downloaded your file, but in my Wordpress installation I can't see the "mu-plugins" forlder you are referring. Not inside "wp-content" and not inside "wp-content>plugins". Is that the correct name?

    Thanks for your help!
    Gemini

  • Adam Czajczyk
    • Support Gorilla

    Hello Gemini Design

    Thank you for response and I apologize for such a long overdue on my end. It's been a bit hectic here on forums recently and we're trying to "catch up" as fast as possible. I'm sorry for the delay again.

    As for your question: by default there's no "mu-plugins" folder, you just need to create one. Simply create empty folder named "mu-plugins" right inside the "wp-content" folder (not in "/wp-content/plugins" but just in "wp-content") and then upload the file into that folder. Once it's there, follow the steps that I outlined in my previous post, please, and update me here.

    Best regards,
    Adam

  • Adam Czajczyk
    • Support Gorilla

    Hello Gemini Design

    Thank you for response and I'm sorry for the delay.

    The file location looks fine, that's where it should be but it does, indeed, look like the shortcode was not processed (so the code is not even executed by WordPress).

    To be honest, I don't see any reason for this other than for example file added to a wrong location - e.g. if you got multiple WP installs on the same server and it just ended up in a wrong one. But I might be missing something.

    Since we're limited by IP lockouts then there's one last thing that we can try. It could be a bit risky but if I'll refrain from making any changes to files and only stick to reviewing them, the risk is close to none. If you could please:

    - install and enable this plugin on site

    https://wordpress.org/plugins/file-manager/

    - then enable support access by going to the "WPMU DEV -> Support" page in site's back-end and clicking on the "Grant support access" button there

    that would give me some more insight to the WP install so that could help to find out why my test plugin is not working and hopefully also some additional clues on the main issue with IPs being blocked.

    Let me know here when it's done, please.

    Best regards,
    Adam

  • Adam Czajczyk
    • Support Gorilla

    Hello Gemini Design

    Thank you for your response.

    I was able to check site now and even look into some logs. The surprising thing is that I'm still not sure why the code that I shared doesn't work - the shortcode is proper and the file is in right location but the shortcode is still not executed. Nevertheless, I just took a different route and put a file in a root folder (I already removed it), slightly modified, to be accessed directly. It let me confirm that the IP is properly detected and the HTTP headers carrying IP are also right.

    So, while I suspected this might be the culprit (as I already seen issues with IP detection/HTTP Headers being the cause of similar problem), it's not what's causing it.

    I didn't find anything meaningful in debug log either and no any "possibly troublesome" settings in wp-config.php...

    Just to make sure: are you still/have you been experiencing the issue recently or did it go away? Could you give me an example IP that was affected (so one of those white-listed that got locked out anyway)?

    Best regards,
    Adam

  • Gemini Design
    • WPMU DEV Initiate

    Hi Adam,

    Apologies for the late answer, It's been busy lately... Right now the issue seem to be away. It happened 2 times the last 2 months but the last weeks everything is working fine, so maybe it's wise to stop any further tests and see how long it stays like this.

    Thank you for your help!

  • Predrag Dubajic
    • Support

    Hi Gemini,

    Apologies for the delay here.

    I checked the logs in Defender and I see on 22nd there were two lockouts due to attempts to login with forbidden usernames.
    Are you sure that the Defender was inactive at that time?

    I did couple of tests on your site by clearing the cache and then locking myself out by using forbidden username, and I was never locked from the site on a second browser that had different IP.
    I also enabled HB caching logs and identify cached pages to be sure that caching wasn't added to lockout page and it indeed didn't do that.

    If the issue happens again can you please open up browser console when you're seeing Defender protection message by right clicking on page and selecting Inspect, and also right click and select View Page Source.
    In inspector switch to Console tab and then grab us screenshots of both of those so we can see if there's any info in there on why the Defender page is cached and shown.

    Best regards,
    Predrag

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.