Replies: 0
Hello,
While hunting for more hackers having fun trying to take over my tiny server, I found a lot of IP addresses listed under Login Security > Settings > Allowlisted IP addresses that bypass 2FA (admin.php?page=WFLS#top#settings), which I had completely forgotten about.
They were placed there once I activated 2FA for XML-RPC (to try to limit the number of attacks…) to open holes for Jetpack and Akismet (and potentially VaultPress, for those using that service from Automattic as well). As it happens, they weren’t up-to-date, which could have been a problem. I promptly visited https://jetpack.com/support/hosting-faq/ which keeps that information updated and made all necessary changes (they even mention Wordfence!).
One cool ‘Easter egg’ that they now have on this page (which I haven’t visited for a while, so I can’t really say when it was added) are two links that allegedly will emit a list of the current valid IP addresses:
https://jetpack.com/ips-v4.json (JSON)
https://jetpack.com/ips-v4.txt (plain text)
This allows for an automated inclusion of those IP addresses to be whitelisted on all sorts of firewalls or to exclude them from web statistics, etc. (very similar in concept with the system provided by Cloudflare, namely https://www.cloudflare.com/ips-v4 and https://www.cloudflare.com/ips-v6).
It would be nice if you could add an option to verify if Jetpack/Akismet/VaultPress are installed and, in that case, automatically add the list of IP addresses to whitelist, making a call to those links; and then add a wp-cron job to update them every once in a while.
I’m sure this is not insanely hard to do; I’m not really familiar with the webhooks provided by the Wordfence plugin, or I’d try to do a very basic plugin to do that…