Real-Time Live Traffic

Wordfence Live Traffic shows you what is happening on your site in real-time.

The Wordfence “Live Traffic” page feed shows you what is happening on your site in real-time. Wordfence logs your traffic at the server level which means it includes data that JavaScript-based packages like Google Analytics do not show you. As an example, Live Traffic shows you visits from Google’s crawlers, hack attempts, and other visits that do not execute JavaScript. Typically Google and other analytics packages will only show you visits from web browsers that are operated by a human.

Wordfence Live Traffic is real-time so it will update as new visits appear on this page. Note that by default the traffic is updated every two seconds. If you want to change this update frequency you can go to your Wordfence options and change the update interval.

Understanding a Live Traffic record

Location
In most cases, we will show the city that the IP address visiting your site originates from. Where we do not have that data we will show a country or “unknown”. This data is 95% accurate and is based on a commercial IP to city database that we use to resolve IP address locations.

IP Address
The IP address is the source address that is visiting your site. You can click on the “See Recent Traffic” button to see all recent hits from this IP. You can also click the “Run WHOIS” button to find out who the owner of an IP address is. You can also click the “Block IP” button to block that IP address.

Note that if you use the button to block an IP address it is a temporary block controlled by the option “How long is an IP address blocked when it breaks a rule”. You can find this option in the “Rate Limiting” section on the “Firewall Options” page.

If you want to permanently block an IP address then you can find the temporary block you just created by opening the “Blocking” tab on the “Firewall” page. The block will be listed with an expiration time in the “Current blocks” section. You can select that block using the checkbox and then use the “Make Permanent” button. If you are considering manually blocking many IP addresses then this is not always the best solution. See details from our research in the post Ask Wordfence: Should I Permanently Block IPs That I See Wordfence Blocking?

Time
We show you the absolute time of the request. We also show you the relative time of each visit as relative time, in terms of how many seconds, minutes, and hours ago the visit occurred. The time displayed is based on your internet browser (your computer) time and not the time defined in your WordPress settings.

Browser
You will see the “User-Agent” that the visitor’s browser has sent, which includes details about their browser, or it may be a custom description for bots. An example User-Agent looks like this:

Mozilla/5.0 (Windows 98; en-US; rv:1.9.1.20) Gecko/20161228 Firefox/36.0

The options available for each hit
We provide shortcuts to block the IP address, block the network the IP address originated from, run a “WHOIS” to find out who an IP address belongs to, and see recent traffic from an IP address.

Note that the option to block the network an IP address belongs to is a two-step process. The button will open a drawer that does a WHOIS lookup in Wordfence and show you who an IP address belongs to and what the network is for that IP. In that drawer, you will find options to block the network, which when clicked will take you to our blocking page and give you the opportunity to block the network the IP belongs to.

Options

Traffic logging mode

You can choose to log all traffic or only security-related traffic on the Live Traffic page feed. We recommend logging only security-related traffic, which includes successful logins, login attempts, and various types of blocked requests. As of Wordfence 7.2.3, you may see a prompt on the Wordfence dashboard suggesting switching to the security-only setting. This is now also the default setting on new installations of Wordfence.

If you are using a low-cost hosting plan that limits the resources you have available, choosing “Security Only” is recommended, to reduce the load on your web server. If you still choose to log all traffic, it will allow you to see regular page views and other traffic that is not blocked, and it adds an additional request for each visitor, to better distinguish human versus bot traffic. This may improve accuracy if you use rate-limiting settings that are different for human and bot visitors.

If Live Traffic has a message stating “Security-related traffic only (host setting)” at the top of the page, this means that your host or a developer on your site has set Wordfence to only log security-related traffic. This is most likely for database performance and generally should not be changed.

Don’t log signed-in users with publishing access

If you don’t want administrators and editors to show up in Live Traffic, keep this option enabled.

List of comma separated usernames to ignore

This option allows you to exclude certain logged in users from Live Traffic.

List of comma separated IP addresses to ignore

This option allows you to exclude certain IP addresses (such as your own for example) from Live Traffic.

Browser user-agent to ignore

This option allows you to exclude certain User-Agents (browsers) from Live Traffic. You may use this if you are running external scanners or other remote services on your site that you do not want to see in Live Traffic.

Amount of Live Traffic data to store (number of rows)

This option limits the amount of database space that is allocated to Wordfence Live Traffic. If you are on hosting with limited resources, or if you are having issues with a slow database connection then you can lower this value. If you are on a high-performing site with lots of visitors, you could increase it.

Maximum days to keep Live Traffic data

Along with the number of rows, you can also limit Live Traffic data by the number of days since a visit was logged. The default is 30 days, and the minimum is 1 day. Limits are checked daily, and records over the limit are removed at that time.  Note that you cannot record data for more than 30 days.

Different types of Traffic

Referer spam

Referer spam (also known as Referrer spam) can be of two primary types:

Bot hits
A bot visits your page and pretends it is coming from somewhere it is not actually coming from. It is spoofing (faking) the HTTP_REFERER header. Your page loads the tracker code and is then fooled into submitting incorrect information to your external traffic analytics tool. Bot hits will be visible in the Wordfence “Live Traffic” feed. This type of referrer spam can be stopped by blocking requests to your site that have a particular HTTP_REFERER. In Wordfence you can block this type of referrer spam by entering the referrers you would like to block using the “Referrer” custom pattern blocking feature.  This found feature is found via the “Blocking” tab on the “Firewall” page.

Ghost hits
A bot uses your JavaScript code, linked to your external traffic analytics tool, on a completely different site and submits fake traffic directly to your tracking service. Ghost referrer spam never reaches your web server. Thus this traffic will not be visible in your Wordfence Live Traffic page feed and it is not possible to stop this traffic by adding any code or blocking rules to your site. Instead, you have to set filters in your analytics tool to filter out such traffic from your results.

Frequently Asked Questions

  • Live Traffic only shows one IP address

    If all hits appear to be coming from the same IP address, or if you are seeing many hits originating from IP’s starting with 10.x.x.x or 192.168.x.x then Wordfence may not be correctly configured. Please read our documentation on the option that appears on the Wordfence options page on how to set how Wordfence gets visitor IP addresses.