What Is The CrowdSec Integration And How Does It Work?

CrowdSec is a global, open-sourced initiative created to combat the threat of malicious machines and bots. It gives us a head-start against malicious bots and lets us block IPs before our Shield plugin needs to perform any assessments.

The CrowdSec integration settings can be found under the IP Blocking section. There are 2 options available:

CrowdSec IP Blocking - how to handle requests from IPs found on CrowdSec blocklist
CrowdSec Enroll ID - CrowdSec instance enroll ID

CrowdSec IP Blocking option

Here you can configure how Shield should block requests from IP addresses found on CrowdSec's list of malicious IP addresses.

You may choose to

Block request with the ability for visitors to auto-unblock

Note: The auto-unblock here is CrowdSec's option and only applies if that IP is blocked because it's on the CrowdSec list.
Block request with no ability to auto-unblock
Disable CrowdSec entirely

To provide the greatest flexibility for your visitors in the case of false positives, select the option to block but with the ability for visitors to automatically unblock themselves.

Important: If you select #1 or 2, Shield will download a list of IPs from CrowdSec and store it on the site. If you select to disable CrowdSec, no downloads will be possible.

CrowdSec Enroll ID option

This is a CrowdSec Instance Enroll ID.

Learn more about this option here.

Hint: The all activities related to CrowdSec will be logged in your Activity Log:

How does CrowdSec integration work?

With the CrowdSec integration enabled, Shield continues to track malicious visitors and then shares this information with CrowdSec, which ultimately then shares the data with other WordPress sites.

This is similar to our ShieldNET’s IP Intelligence system.

To explain how it works in practice, we'll use an example. Let's say we configured it to block request with the ability for visitors to auto-unblock.

Shield will download a list of IPs from the CrowdSec's community IP reputation database and store it on the site.

CrowdSec downloads the latest IPs once per day for premium, and once per week for free.

Shield doesn't add it to its own block list, it stores a separate list called "Crowdsec". For example:

These IPs are blocked immediately, without having ever seen them before.

So, CrowdSec doesn't do any checking of Shield's IPs. It gives us a list of IPs it thinks Shield should also block.

Each time Shield downloads this list, this activity will be logged in your activity log. The name of the event is: CrowdSec: IP Reputation Decisions Acquired and you can see there a number of the IPs added. For example:

If the IP from the "CrowdSec" list is detected visiting that site, it's blocked.

IP listed in the "CrowdSec" list expires at 7 days, or if CrowdSec data says specifically when to expire them.

This auto expiration timeout is from CrowdSec itself.

You can analyse an IP by using IP Management and Analysis tool directly from within IP analysis dialog. Just click an IP you want and it'll open up for you. For example:

Recommendation: Best is not taking any action, just leave these potentially malicious IPs till they expire from the block list. In this way they'll not have a chance to even reach out your site.

For more information about CrowdSec integration in ShieldPRO, please read this blog article here.

Note: ShieldPRO is required for CrowdSec integration. To find out what the extra ShieldPRO features are and how to purchase, please follow this link here.