Wordfence after attacks shuts down the website | WordPress.org

kristynakadlecova
(@kristynakadlecova)

4 days, 16 hours ago

Hello,

Over the last month, we have been experiencing website outages. In the HTTP request log, we can see that Wordfence has a lot of work to do. There are quite a few attacks on the login page. But not so many that it makes sense for Wordfence to increase the server load during attacks by calling itself from the outside. Can’t this be done at the PHP level? This adds more requests and the server pool may not be able to keep up. In addition, the website returns a 503 error instead of the expected 404 when Wordfence blocks a user from logging in. It doesn’t make sense to us why we have outages lasting 5-14 seconds many times a day, sometimes even longer, with a 503 error, given that Wordfence has many requests regarding attacks.
An example of our log types: https://naposlech.cz/?wordfence_syncAttackData=1765193233.9413 (dozens of them)
https://noc3.wordfence.com/hackAttempt/?k=86606c18dba9305575cb2c5ce274ef1565017d561fabf01e17bdf54697c28f557fa1b627e46fc1df88a73a1db7bf61cd5ed9c3a9cafc7d2666b5987f55127bc2&IP=2682192768&t=brute&type=1
Requests last more than a second, each of them.

Can you advise us?
Thank you in advance
Kris

The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)

Plugin Support wfpeter
(@wfpeter)

3 days, 2 hours ago

Hi @kristynakadlecova, thank-you for getting in touch.

The wordfence_syncAttackData script is a normal process run by Wordfence to ensure your malware signatures and rules are up-to-date with the latest ones we have released. They’re only called from the browser if Wordfence can’t sync automatically, usually meaning that the site can’t reach itself. That might suggest there is another problem with the server configuration, a CDN like Cloudflare, or a server firewall stopping Wordfence.

You can check whether the site can reach itself at Wordfence > Tools > Diagnostics under “Connecting back to this site“. If it can, your site might just be seeing a heavy amount of access attempts. 403 or 503 blocks by the firewall trigger the need to sync, so seeing this process triggered with an HTTP error code is usually expected. This doesn’t usually affect site performance though, but if your site is being hit very hard then it may slow down as a side-effect.

If you’d like us to look into it further, you can send that page to us at wftest @ wordfence . com by finding the link at the top. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

Many thanks,
Peter.

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.

1 reply
2 participants
Last reply from: wfpeter
Last activity: 3 days, 2 hours ago
Status: not resolved