This is the fifth installment in a new series we started last month called Ask Wordfence. You can access previous posts here.
Today’s question comes from Brooke in Harrisonburg:
When I see IPs blocked by firewall, or blocked for trying to log in, is there a benefit to permanently blocking them, one by one, or is it enough that Wordfence just blocks them each time?
This great question is likely shared by a broad audience. We know that the blocking features in Wordfence are incredibly popular. In short, there is a potential benefit to permanently blocking these IPs, but there are also risks associated with it.
To help you decide how you want use blocking as part of your security strategy, we’ve pulled together a number of factors you should consider.
The Amount of Attacking IPs Can Be Overwhelming
In our monthly WordPress attack report for October, we reported that we had added 123,277 IPs to the Wordfence real-time IP blacklist during the month. That’s over 4,000 per day and 166 per hour. It is literally impossible for a site owner to keep up with the massive, ever-changing list of IP addresses that attack WordPress sites. By manually blocking even 1,000 malicious IP addresses, you are barely making a dent.
To visually illustrate the scale of the challenge we created this motion chart, which shows the total number of IPs we added and removed for just the top 10 countries this past Monday, by hour.
Attackers Cycle Through IPs Quickly
One of the most important factors to consider when developing your blocking strategy is how long IPs continue to attack. It varies dramatically by IP address. 220.127.116.11, for example, was the top attacking IP in our WordPress Attack Report in both September and October and was number 24 on the list in August. On the other side of the spectrum, many IPs stop attacking after just a few hours. Back in September we did a deep dive on the Wordfence real-time IP blacklist and found that the average IP address spends just 10 hours on the list.
The criminals that attack WordPress websites know that the IPs they use are going to be blocked by site owners and blacklists. In an effort to avoid being blocked, they regularly cycle through different IP addresses.
Attackers Don’t Reuse IPs as Often as You Might Think
In the blacklist deep dive we mentioned in the previous section, we also looked at how often attackers reuse IPs. We found that, for the most part, they used an IP address just once, with less than a third being used twice or more. The table below shows the breakdown of the number of times we added IPs to the Wordfence real-time IP blacklist during the month of August.
Many Attacking IPs Actually Belong to Other Attack Victims
As we’ve discussed above, attackers need access to lots of IP addresses. Being criminals, they generally don’t solve that problem by going out and paying for them. Instead they find ways to take over the IPs of victims who have clean reputations. As we wrote last week, in many cases it is your clean reputation that makes you a target.
One source of clean and fresh IPs that we see attacking WordPress websites is hacked home routers. You might remember our posts earlier in the year about a large home router botnet being used for WordPress brute force attacks. The IPs belonged to a long list of ISPs from around the globe, and each one represented an unsuspecting victim’s home.
Putting It All Together
Blocking IPs manually is generally an ineffective security tactic. Attackers generally cycle through IPs quickly and tend not to reuse them. Attacking IPs often belong to victims, so you risk blocking real users who want to access your website.
Blocking large groups of IPs, like entire countries, is a popular approach many site owners use. But there are significant risks and headaches associated with blocking legitimate requests from online services like Google Adwords, search engines and service providers. If you can overcome those challenges, however, this can be a very useful layer of security for some site owners.
Let Wordfence Do the Work For You
Wordfence Premium includes an IP blacklist that we update in real time. We add thousands of IPs to the list each day, staying a step ahead of attackers as they cycle through IPs in their attempts to evade IP-level blocks. We also remove thousands of IPs each day, minimizing the impact of blocking IPs that belong to the unsuspecting victims’ routers and other devices. The most you’ll pay for Premium is $99 per year, which means you can enable 24/7 real-time blocking at scale for less than 30 cents per day. Considering how much time is typically involved in manually trying to manage your own IP block list, we think that’s a great value.