When I installed Wordfence a few weeks back my IP address was 87.112.xx.xxx. I assumed it remained constant so I whitelisted it in my wordfence settings.
This morning when checking my emails I noticed a wordfence alert telling me a user with administrator access had logged into my site last night at 11.06pm, from a different IP address 87.15.yyy.yy. It may have been me as I was online last night, but wasn’t sure of the exact time.
When I logged on to Wordfence this morning, in my ‘Options’ settings I noticed my whitelisted IP address had changed to a third IP, 87.112.zzz.zz But I don’t remember changing it from the original .xxx one I typed in when I set up Wordfence.
I tried blocking both yy and zz IP addresses in Wordfence. It let me block the zz one, but wouldn’t let me bock the yy one, as it said it was my own IP address.
From an activity log plugin I have, I now see that I’ve actually been logging on from the new whitelisted .zz IP address for the last few weeks, so it must have changed at some point, without my knowing. Then yesterday, it changed again to the current .yy one, which sparked the alert.
I don’t think I’m losing my marbles, but I am confused. I always assumed you had one IP address per computer, which stayed the same. Can someone reassure me that it is normal for an IP address to keep changing? While that would reassure me it was probably me logged in last night rather than someone hacking in, it would make it difficult to whitelist my IP address if it keeps changing without my knowledge.
Also, I’m pretty darn sure I didn’t change the original .xxx address in the whitelist, to .zz, so I’m not sure how that happened. Is that something Wordfence would do automatically if it detected a different IP address?
Needless to say I’ve changed my wordpress login password this morning just in case, but I’m still worried that I may have been compromised, and baffled that my IP address keeps changing.
When I tried to WHOIS the yy and zz IPs, both came back with an ‘Error 201: Access Denied: Sorry, access from your host has been permanently denied because of a repeated excessive querying. For more information see…’ then a link to a page at http://www.ripe.net, which when I clicked on it, my ESET anti virus pogramme blocked it.
All very worrying for a non-expert like me.
Finally, I ran a Wordfence scan, it didn’t flag anything other than a single amber warning about a ‘modified’ Tweetily plugin that I have known about for some weeks and am fairly sure is okay.
Be grateful for any advice, thanks.
PS. I'm aware my question is a little long, so I am happy to sign up for the Premium version to get the additional support if required.
Thanks.