Whois Lookup

From Wordfence Documentation
Jump to: navigation, search

The Whois feature is located on a tab on the Tools page of the Wordfence menu.

The "whois" service is a service on the Internet that gives you a way to look up who the owner of an Internet resource is. For our purposes we are interested in looking up who owns an IP address and who owns a domain name. In most cases you are interested in knowing who owns an IP address that is visiting your website or is engaging in malicious activity on your website.

The "Whois" lookup feature is a powerful feature of Wordfence that we've integrated with Live Traffic and with Advanced Blocking.

Basic use of Whois

To use Whois in Wordfence, simply enter a domain name like 'cnn.com' and hit the button to find out who the owner is. You will see when the domain was registered, when it expires, who the registered owner is and a few email contacts.

Wordfence tries to be helpful by making the email addresses and other items clickable in the response to save you work.

Now try entering an IP address like 8.8.8.8. You will see which network that IP address is part of, who owns the IP address and who to contact if you are seeing malicious activity originate from that IP address. In this case the contact email is "arin-contact@google.com" and so if that IP address attacks your website, you can just send arin-contact@google.com an email telling them to stop hacking your website, or (and this is more likely) that their server has been hacked and someone is using it to hack your website.

How to block Networks using Whois

Sometimes you won't just get hacked from a single IP address like 8.8.8.8 (for example). You might get hacked from 8.8.8.9 and 8.8.8.10 and a few other sequential IP addresses or IP addresses that are close together in the address space. In this case you want to block an entire network and all IP addresses on that network from accessing your website. But you might not be sure what the range of addresses in the network is.

Wordfence makes this really easy by giving you a way to find out which network an IP address is on. Lets stick with the 8.8.8.8 example for the moment. When you do a lookup, Wordfence tells you that the range of addresses in this network are 8.8.8.0 to 8.8.8.255 and it gives you a helpful link that you can click on to block that network. It also tells you how many addresses are in that network and in this case it is 256 addresses. Go ahead and click the link shown.

If you click a network that has been hotlinked in the Whois results it takes you directly to Wordfence "Advanced Blocking" and puts the address range you clicked on in the range field. Now all you have to do is enter the reason you're blocking the network and click the Block button and you're done.

Note: When you see the results of a Whois query on an IP address, you often will see multiple networks listed that the IP address belongs to. I general you want to pick the smallest network shown. That is why we show you the number of IP addresses in each network - to help you quickly pick the smallest block of IP addresses to block. When looking at the Whois results page for an IP address, scroll down because often the smaller block of IP addresses that defines a network the IP belongs to is in the lower part of the Whois results.

How to block networks starting at Live Traffic, using Whois and Advanced Blocking

It gets even easier. Lets say your website is under attack and you're seeing the attack in Wordfence Live Traffic. You see several IP addresses attacking you that start with (and this is just an example) 9.9.9.9 and 9.9.9.10 and 9.9.9.14 and 9.9.9.20. They all appear fairly close together. You see a link in your live traffic for each visit titled "Run a WHOIS on 9.9.9.10".

So you click the link on one of the visits in Live Traffic to do a Whois on the IP address. You see the results and you see the networks that the IP address belongs to. You then click on the smallest network (with the least number of IP addresses) in the list and are taken to the advanced blocking page.

You then enter the reason you're blocking this network to remind yourself why the block exists. You hit the button to save the block and you're done. You've stopped the attack in it's tracks with three clicks and blocked an entire malicious network.