Last Friday we quietly launched a new Premium feature in Wordfence: A real-time IP blacklist that completely blocks known malicious IPs from accessing your website. On Monday we did a second release with a few improvements. Then we announced the blacklist on Tuesday this week.
Today we took a first look at data showing how many attacks the real-time blacklist is blocking each day on our Premium customer websites – and the data is incredible.
First we generated a chart showing all attacks that have been blocked by the real-time blacklist since the initial Friday release. Here’s what it looks like:
As I mentioned in our Tuesday announcement, we are releasing IPs to the blacklist in stages as we bring this feature into production over the coming weeks. Last Thursday we added 100 malicious IPs that are generating a large number of attacks and it had the immediate effect of blocking over 160,000 attacks per day on our Premium customer websites.
After Thursday we gradually grew the list and occasionally removed IPs. This is what the changes to the blacklist looked like over the next few days:
As you can see we are constantly removing and adding new IPs to the list. As we bring the blacklist online the list total is slowly growing and is currently hovering around 400 IPs. You can see the effect these changes are having in the chart above as the number of daily attacks the list is blocking is gradually increasing for our Wordfence Premium customers.
Zero false positives!
What is incredibly reassuring is that out of this huge volume of attacks, we have only had 4 reports that appeared to be false positives. Two of them were for the same IP address which is a very badly behaved Ukrainian IP that is definitely not a false positive. We investigated the reports and found that the customer sites were misconfigured which caused the false positive reports.
We haven’t had a single legitimate false positive report which is great news. It means that our algorithms for determining which IPs should be on the blacklist are working perfectly.
Measuring the blacklist efficacy
Blocking a malicious IP outright is far better than only blocking the malicious requests from that IP address. This is because we don’t want a malicious IP to learn anything at all about our customer websites that could help them attack the site. Ideally, the target website should be completely inaccessible to a malicious IP so they can’t perform reconnaissance before an attack to learn more about their target.
We wanted to measure what percentage of attacks on our customer sites are being blocked by the blacklist at this point, even though the list is still relatively small. To generate this report, we looked at the data from the past 24 hours and only considered sites that have been running the newest version of Wordfence Premium for the full 24 hours with the blacklist enabled.
During the period we saw a total of 1,415,330 attacks on the sites that we analyzed. If we break this out into it’s component parts, that is 107,956 attacks blocked by the firewall, 845,591 brute force attacks blocked by Wordfence and 461,783 attacks from IPs on the new blacklist were blocked.
That means that 32.6% of attacks on these sites in 24 hours were blocked by the new IP blacklist! The rest were blocked by the Wordfence firewall and brute force protection.
That is incredible considering the blacklist is only 399 IPs right now.
The reason we’re seeing this is because attacks on WordPress sites are a long tail. A small number of IPs generate a huge number of attacks and a large number of IPs each generate a much smaller number of attacks. So when we blacklist the top 399 IPs, we see this effect where a large number of attacks are stopped.
Our goal is of course to block all malicious IPs or get as close to that as possible. The effectiveness of an attacker is not always directly proportional to the number of attacks they launch. So we need to block the low volume attackers too and we will do just that as we expand the blacklist over the coming days and weeks.
This data is incredibly exciting because it demonstrates how effective the new Wordfence Premium blacklist is at completely blocking known malicious IPs from consuming resources and from accessing anything on our customer WordPress websites.
As always I will be around to reply to your questions and comments below. I hope you’re as excited about this new feature as we are. This is beginning to feel like we have completely changed the game on anyone attacking WordPress!