cropped-phoenixignitedlogo1.png

Exploring a WordFence Activity Report

Exploring a WordFence Activity Report

  • August 5, 2024

WordFence is a well known security solution for WordPress websites. It is packed with security features including the wordfence web application firewall, website hardening capabilities, monitoring, logging, bruteforce prevention, 2FA etc. One of its features is its ability to send weekly and even daily website activity reports via email. In this tutorial we dig into these WordFence activity reports and what the different aspects of the reports mean. Let’s go!

Top 10 Blocked IPs

The first section of the WordFence activity report is the Top 10 Blocked IPs report. This is very simply the top 10 IP addresses that WordFence has blocked on your website. Next to each address you can see the country of origin of the address and the number of times that WordFence blocked the IP. As you can see here the higher the block count the higher up the list of blocked IPs.

Top 10 Blocked Countries

The next section of the activity report details the top 10 countries WordFence has blocked on your website. This is determined by the total number of blocked IPs from each country. For instance you can see here that that an IP from Singapore attacked the site 12 times, which is more than any other combination of IPs from an individual nation, therefore Singapore is the top country. If however two IPs from the US had attacked the site 6 and 7 times respectively, the sum of attacks for the US would be 13 and the US would rank ahead of Singapore in this case.

Top 10 Failed Logins

The next section details the top 10 failed logins that WordFence has detected on the site. The username the attacker attempted to use is seen on the left, the number of attempts using that username is seen in the middle, and on the right you can see whether the user is an existing user or not. Not all failed logins will be attackers trying to login, often you will see your existing users have failed a login or two. A large number of failed logins is a sign of a brute force attack.

Recently Blocked Attacks

The next section details recently blocked attacks that the WordFence plugin has blocked on your WordPress website. On the left you can see the date and time of the attack and on the right you can see the IP and the reason the IP was blocked. In this case the IP 128.90.157.11 was blocked for WordPress New Install File Probing. You will also often see that attackers were blocked for Know Malicious User Agents.

Recently Modified Files

The next section details recently modified files.On the left you can see the date modified and on the right you can see which file was modified. Often files are modified via plugin updates, WordPress core updates, etc. however these could indicate the presence of a malicious actor modifying files. Just running through these results, you can see that all of these files are located in the wp-content directory which is normal, further you can see that they relate to specific plugins including forminator, elementskit, elementor, and hostinger. This info gives site admins a good hint as to whether the modified file is malicious or benign.

Needed Updates

Finally at the end of the report it details any needed updates on your WordPress site. It will list if your WordPress version needs updated, any plugins that need updated, and any themes that need updated.

That finishes our deep dive into WordFence Activity Reports. I hope it gave you insights and helps you understand the different sections and aspects of the WordFence Activity Reports for your site! 

Walter Miely is a tech entrepreneur and CEO of Phoenix Ignited Tech You can find him on Linkedin. This material is licensed under the CC BY 4.0 License LEGAL DISCLAIMER: The content provided here is provided AS IS, and part of, or the entirety of this content may be incorrect. Please read the entireLegal Disclaimer here.

IONOS - Official Partner
Github Codepen Linkedin X-twitter Flickr Medium

+ Ave Maria +