Wordfence Live Traffic is real-time so it will update as new visits appear on this page. Note that by default the traffic is updated every two seconds. If you want to change this update frequency you can go to your Wordfence options and change the update interval.
Understanding a Live Traffic record
In most cases we will show the city that the IP address visiting your site originates from. Where we don’t have that data we will show a country or “unknown”. This data is 95% accurate and is based on a commercial IP to city database that we use to resolve IP address locations.
The IP address is the source address which is visiting your site. You can click on the “See recent traffic” button to see all recent hits from this IP. You can also click the “Run a WHOIS” button to find out who the owner of an IP address is. You can also click the “Block IP” button to block that IP address.
If you use the button to block an IP address it is a temporary block controlled by the option “How long is an IP address blocked when it breaks a rule”. You can find this option in the “Rate Limiting” section on the “Firewall Options” page or on the “All Options” page.
If you want to permanently block an IP address then you can find the temporary block you just created by opening the “Blocking” tab on the “Firewall” page. The block will be listed with an expiration time in the “Current blocks” section. You can select that block using the checkbox and then use the “Make Permanent” button. If you are considering manually blocking many IP addresses then this is not always the best solution. See details from our research in the post Ask Wordfence: Should I Permanently Block IPs That I See Wordfence Blocking?
We show the absolute time of the request. We also show the relative time of each hit as relative time, in other words, how many seconds, minutes and hours ago the hit occurred. The time is displayed in your own browsers (computers) timezone and not the one defined in WordPress settings.
You’ll see the “user-agent” that the visitor’s browser has sent, which includes details about their browser, or it may be a custom description for bots. An example User Agent looks like this:
Mozilla/5.0 (Windows 98; en-US; rv:188.8.131.52) Gecko/20161228 Firefox/36.0
The options available for each hit
We provide shortcuts to block the IP address, block the network the IP address originated from, run a “WHOIS” to find out who an IP address belongs to and to see recent traffic from an IP address.
Note that the option to block the network an IP address belongs to is a two step process. The button will open a drawer that does a “Whois” lookup in Wordfence and show you who an IP address belongs to and what the network is for that IP. In that drawer you will find options to block the network which when clicked will take you to our blocking page and give you the opportunity to block the network the IP belongs to.
Traffic logging mode
You can choose to log all traffic or only security-related traffic on the Live Traffic View. We recommend logging only security-related traffic, which includes successful logins, login attempts and various types of blocked hits. As of Wordfence 7.2.3, you may see a prompt on the Wordfence dashboard suggesting switching to the security-only setting. This is now also the default setting on new installations.
If you are using a low-cost hosting plan that limits the resources you have available, choosing “Security Only” is recommended, to reduce the load on your web server. If you still choose to log all traffic, it will allow you to see regular pageviews and other traffic that is not blocked, and it adds an additional request for each visitor, to better distinguish human vs. bot traffic. This may improve accuracy if you use rate limiting settings that are different for human and bot visitors.
If Live Traffic has a message stating “Security-related traffic only (host setting)” at the top of the page, this means that your host or a developer on your site has set Wordfence to only log security-related traffic. This is most likely for database performance and generally should not be changed.
Don’t log signed-in users with publishing access
If you don’t want administrators and editors to show up in Live Traffic, keep this option enabled.
List of comma separated usernames to ignore
This option allows you to exclude certain logged in users from Live Traffic.
List of comma separated IP addresses to ignore
This option allows you to exclude certain IP addresses (such as your own for example) from Live Traffic.
Browser user-agent to ignore
This option allows you to exclude certain user agents (browsers) from Live Traffic. You may use this if you are running external scanners or other remote services on your site that you don’t want to see in Live Traffic.
Amount of Live Traffic data to store (number of rows)
This option limits the amount of database space that is allocated to Wordfence Live Traffic. If you are on hosting with limited resources or if you are having issues with slow database connection you can lower this value. If you are on a high performing site with lots of visitors, you could increase it.
Maximum days to keep Live Traffic data
Along with the number of rows, you can also limit Live Traffic data by the number of days since a hit was logged. The default is 30 days, and the minimum is 1 day. Limits are checked daily, and records over the limit are removed at that time.
Different types of Traffic
Referer spam (also known as Referrer spam) can be of two primary types
A bot visits your page and pretends it is coming from somewhere it is not actually coming from. It is spoofing (faking) the HTTP_REFERER header. Your page loads the tracker code and is then fooled in to submitting incorrect information to your analytics. Bot hits will be visible in the Wordfence “Live Traffic” feed. This type of referrer spam can be stopped by blocking requests to your site that have a particular HTTP_REFERER. In Wordfence you can block this type of referrer spam by entering the referrers you would like to block on the Wordfence “Blocking” page.
A bot uses your Analytics code on a completely different site and submits fake traffic directly to Google Analytics (or another tracking service). Ghost referrer spam never touches your website. Thus this traffic will not be visible in your Wordfence “Live Traffic” feed and it is not possible to stop this traffic by adding any code to your website. Instead, you have to set filters in your analytics tool to filter out such traffic from your results.