Wordfence is causing daily Wordfence 503 lock outs of my server's IP

I’ve had daily full sitewide 503 lockouts for 4 days running showing the server IP visits the site to log in.
SITE: https://www.ciuspress.com

Started on the 14th when I gave the WordPress Theme Author Laborator (Kalium theme) an admin pass to diagnose a display issue on their theme. They’re in EU, I’m N.A., they’ve had the pass a few times before w/o issue.
When I saw emails in the morning of the 15th there were 4 “Wordfence has been disabled” warnings. Theme Author emailed saying they couldn’t remove the display error they were sent to diagnose, in the standard 2024 theme, so they turned off plugins (I believe Cloudflare caching could be the issue for that, but have not tested that yet). It’s obvious from the multiple emails that they turned Wordfence on and off multiple times.
It was since this point that I’ve had daily 503 sitewide lockdowns. You can browse the WooCommerce site, but no one can log in, EXCEPT a new customer.
The BLOCKED IP in WordPress was always the server’s IP

I diagnosed on the 17th that the Cloudflare plugin was not active on the site. It was active but not running due to the API key being wiped. I thought reinstating the Cloudflare plugin on the site would fix.
Today my same IP from the server

I never remember ‘white-listing’ any IPs before in Wordfence, so what did the Laborator Kalium tech break? Could this be malicious or tech error?

This Laborator tech has caused hours and hours of diagnostics for me and am now unable to determine what is happening.

Wordfence is closed now, reopening M-F. Any insight would be appreciated, thanks

Cheers
TD @ CIUS Press

Those look to have nothing to do with Cloudflare. That 162. IP address was blocked due to too many failed login attempts. That’s most likely a bot, since it’s coming from a Bluehost server.

Make sure you click on the 503 link in your post to learn more about what that response code means.

1 Like

Thanks for your response but I dont think it’s the issue.
I had already done the IP search and put it in Cloudflare’s list.
Am I reading this incorrectly? {{ EDIT>>> It appears I was wrong the IP is my server’s IP? !! }}

As far as too many login attempts - that never (in the past) caused Wordfence to lock down the entire site.
I’ll spend more time diagnosing if Wordfence has changed since being switched off an on, but there’s no way one IP attack should lock down every registered login account.

{{EDIT>> if the IP is not Cloudflare’s and the Cloudflare plugin is now working on the site, then this is not a Cloudflare issue, but if anyone has any further insight, Id appreciate it! }}

Cheers
TD

My question now is, why was the API wiped in the Cloudflare plugin, if it was only deactivate?

Is this a proper incident when turning off the plugin?
Or is something else happening?

ALSO !!! My site has been left on “Under Attack” Mode, but now after checking the latest 503 block, just 30 min ago, Cloudflare is not set to “Under Attack”!

Dose this API irregularity mean someone has access to my Cloudflare account settings?

More help is needed, thanks

TD

More HLP needed

It appear that very unusual site activity is occurring

all activity seems to be coming from the server IP why is htat?

162.214.161.150

What’s your Wordfence setting for this?

And if you’ve set it like mine, does it show your home IP address right below it?

It should be here:
https://www.ciuspress.com/wp-admin/admin.php?page=WordfenceOptions

1 Like

Thanks I did make this change and this is one of the things Wordfence support mentioned too.
I was glad to get their support open again
The site is running and looks like all parts are working fine
Thanks for your help and insight.

TD

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.