My current firewall setup is set to a medium security level with the US being allowlisted.
However, when I check my Wordpress logs, I notice several among the many international IP addresses trying to repeatedly gain access to my web server. Here is a sample list:
217.147.169.231 from the Ukraine under the ISP name LLC TC Interzvyazok and a usage type of Data
center/Web hosting/transit (go here for more details: 217.147.169.231 | LLC TC Interzvyazok | AbuseIPDB).
I wouldn’t whitelist the US, as many attacks come from the US as well. I’d start limiting other countries as needed.
Or…(I’m a big fan of Wordfence), install Wordfence. It does a really good job of blocking malicious traffic. Their paid plan, if you want to be even more strict, will let you blacklist most of the world.
I am trying to block all international traffic before it reaches apache. From my understanding, there’s no software/plugin even the paid ones that will accomplish this task. The only other way is to insert IP table rules via my firewall.
I am not about to insert more than 1 billion IP addresses in my one small-mid size VPS. Even though there’s still a risk of whitelisting US, I can blacklist at an individual basis at the firewall level if and when the attack happens. Currently, I haven’t gotten any attacks from the US. Mainly China, Croatia, Russia, Germany, Netherlands, and Ukraine.
In the meantime, can I just leave US whitelisted and block specific international country ASNs such as the aforementioned foreign countries?
Also, if my logs are still picking up international traffic even though the US is the only country whitelisted, what benefit does it do me for whitelisting US?
The Whitelist/Blacklist function isn’t just for countries. It also works on IP addresses and ranges. In more granular cases, it helps to Whitelist IP addresses of your own that may look suspicious due to some specific ways you use your own website. So go ahead and whitelist the US, as you do want to give US users the benefit of the doubt.
But that isn’t going to raise the defenses against the rest of the world. What might help is to set the security level to High. Read on…
What I just now tried: I have a Page Rule that sets Security Level to “Under Attack” for wp-admin and wp-login. I added my home IP address to the Firewall Access Rules as a Whitelist. I can confirm I don’t get the Under Attack interstitial when I whitelisted my address.
So…Set your Security Level to Under Attack, and whitelist the US. I hope that works/helps.
Since I get a plethora of the LLC TC Interzvyazok Ukraine attacks a day, I am going to blacklist its ASN and monitor my logs to see if the actual requests are blocked.
Blocking countries is also available on the Business plan, but for non-biz you could also captcha non-US countries. Not quite the same as a block, but effective for blocking lots of malicious traffic.