Hi @zignorp, thanks for your message.
My general advice is that Wordfence does all of the important blocking for you automatically so you don’t have to implement a manual blocking regime – which can be time consuming to keep up with current IP ranges etc. The behavior or intent of the humans/bots each time they make a request is more important to Wordfence when making a decision on blocking. This might be why these requests aren’t showing as red blocks in your Live Traffic.
Wordfence settings to immediately block users when they access a URL must start with a “/” so are relative to the domain hosting the WordPress site. Wordfence > All Options > General Options > Scan files outside your WordPress installation may be checked in your case, although I can’t be certain without more information. If you do wish to provide a screenshot of one of these Live Traffic entries, you can do so using a service like Snipboard where you can obscure any sensitive information before sharing. Ideally, click the entry (or eye icon on the right) to expand it so I can see all of the information associated with the access attempt to mail.domain.com.
If you did want to outright block any access to a subdomain you don’t use, possibly look at .htaccess type blocking instead to see if it makes a noticable difference to these attempts showing up.
Let me know how you get on,
Peter.
