Can someone identify who is doing this?

Hi wjwc,

Do you, or your host, use Amazon Web Services? If not, then I think it is safe to to block those hits completely. Go to Wordfence Advanced Blocking page and do something like this:

*compute.amazonaws.com*?

That should block those requests. You could also play with the “Rate Limiting Rules” on the Wordfence Options page. If they are always hitting 404s then focus on the 404 limiting options.

Now why the presslabs domain is showing up in your feed is hard to say. It could be that the their domain is hosted on the same IP address as yours and you are the default domain for the server. Or it might be that their domain’s DNS is just really misconfigured. I am not exactly sure how that could happen.

Try the advanced blocking and limiting options.

Let me know how it goes.

I have already blocked them, but they still show up in my logs.

Doesn’t this means they are still trying to access my website and use my server resource first? Unless it is blocked on the DNS level.

I have zero clue who is watching me, as I have not signed up for any monitoring services.

If they misconfigured their dns to point to me for mispelled name, that could be it. But as for the how and why, i can’t seem to figure.

I want to know how WF blocks the traffic, and are they “fast”? Because the IP needs to first hit and resolve, before the script kicks in. That means it is still using server resources to block them.

Check this out 200k hits per IP.
https://prnt.sc/ba139k

Wordfence firewall is fast because it catches requests before WordPress loads / fully loads. However, it is using server resources, and the request has already been handled by your web server before getting to Wordfence.

If it is just a few IPs, you could have your host block them. You could also block them via .htaccess which would be a slight speed improvement and would probably use less server resources.

A CDN / DNS type firewall, like CloudFlare, would block these requests before hitting your server, saving resources. However, I am not sure it would be much faster than your host blocking them. I would think CloudFlare firewall rules would be more difficult to implement, but I have never thoroughly looked into it. You might do some research and see what you think. If you do go with CloudFlare, make sure you change the “How does Wordfence get IPs” option. https://www.evernote.com/shard/s481/sh/e8b22c21-3fe5-4e5a-b064-d7b35e1d7c96/4b34401ed1168c08

Use .htacces, or like wflandon says get your host to block, or better, if you are serious about website security and bandwidth get server level access and learn how to use your server firewall, or hire someone to do so. Or, just pay for more bandwidth as bots and other bad actors are allowed to run roughshod over us hard working creators.

Also, please clarify, isn’t https://Prnt.scr just a website that does screen captures? Doesn’t sound too nefarious, though if it’s hitting you much those bozos clearly should be blocked to reduce bandwidth.

MTN

Thanks for the tips. I will try to implement them.

Acording to amazon, there are sometimes miscofigured health checks by unknown people, and they said i could file a report and have my site removed from their check list. It’s still strange though, as who would want to spend the money to monitor a site that has zero authority in the www.

Yes, that’s the captured page of what the WF logs are showing. Not long after I bought the domain and set up the site, some idiot began doing health checks at a rate of 1 per minute on all the locations. So now my site is roughly around 4 months and thus the 200k hits.

If the hits are not clearly malicious, minor problem. Just block by IP number and move on. Guessing why stuff is done that looks “strange” is a worthless expense of mental energy. Some people out there just experiment on us hard working creators, for a zillion reasons. MTN