Security → Blocks
Blocks is the per-site view of everything the security pipeline stopped. Each layer — the WAF, the rate limiter, Patchstack, login lockout, and the edge IP-reputation layer — reports what it rejected, and Blocks collects all of it into one timeline, attributed to the control that did the blocking. It answers the question the rest of your analytics can’t: what tried to get in, and what stopped it?
Find it under the Security tab of any site in the dashboard.
What each blocker means
Section titled “What each blocker means”| Blocker | Layer | What it caught |
|---|---|---|
WAF (coraza) |
Site runtime | A request matched an attack pattern — injection, XSS, traversal. |
| Rate limit | Site runtime | A client exceeded its request budget and was throttled. |
| Patchstack | Edge | A request matched a known plugin/theme CVE exploit signature. |
| Login lockout | Site runtime | A source hit too many failed logins on wp-login.php. |
| IP reputation ban | Edge | An IP with a bad reputation was refused by the edge (CrowdSec). |
The edge layers (Patchstack and IP-reputation attribution via CrowdSec) act before a request reaches your site at all; the runtime layers (WAF, rate limit, login lockout) act at the application. Seeing them side by side tells you whether you’re fending off broad internet scanning at the edge or targeted attempts against one site.
Block volume over time
Section titled “Block volume over time”The chart at the top of the page plots block volume, broken down by blocker. Read it for shape, not just total:
- A flat, low baseline across all blockers is normal background noise — the internet scanning every public site.
- A spike in Patchstack blocks usually means a freshly disclosed CVE is being scanned for across the web. You’re already protected; confirm the affected plugin is updated anyway.
- A spike in login-lockout blocks against one site is a credential-stuffing run. Confirm login lockout is doing its job and consider an IP allowlist on wp-admin.
- A spike in rate-limit blocks can be an attack or a misbehaving integration of your own — check the source before assuming malice.
Blocked requests stay out of Requests
Section titled “Blocked requests stay out of Requests”Blocked requests are deliberately kept out of the normal Requests view. Attack traffic is high-volume and would otherwise drown out your real visitors, skewing status-code ratios, top-paths, and latency percentiles. So the two views are clean by design: Requests is the traffic you served, Blocks is the traffic you refused.
How to read and act on a block
Section titled “How to read and act on a block”-
Start with the chart. Identify which blocker spiked and when.
-
Filter the table to that blocker and timeframe. Look at the source IPs — one noisy IP is a targeted attempt; a wide spread is distributed scanning.
-
Open a block for detail. WAF blocks show the matched rule and the offending request; Patchstack blocks show the CVE signature; IP-reputation bans show the reputation scenario.
-
Decide. Genuine attack traffic needs no action — it was stopped. If you suspect a false positive (a legitimate request being blocked), grab the block ID and report it; the team adds a targeted exclusion rather than weakening the ruleset. See WAF tuning.
Who can see Blocks
Section titled “Who can see Blocks”The Blocks view is available to site_manager and above —
site_manager, admin, and owner. An observer sees observability data but not
the security-block detail, and billing has no site access. See
teams & roles for the full role matrix.
site_manager+ visibility keeps attacker IPs and matched-rule detail scoped to the people responsible for the site.