Blocked user names doesn’t work for certain http_user_agent

  • Resolved webmasterfreya

    (@webmasterfreya)


    5 years, 1 month ago

    Hello,

    My site is hammered with requests on wp-login.php since a couple of days.
    All the user logins (like seller , shop, admin etc) should be immediatly blocked but are not.

    All those requests have the same http_user_agent which is :
    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0

    and an empty http_referer (“-“)

    Example :
    Ismailia, Egypt /wp-login.php 11-2-2020 15:58:37 41.39.124.254 200
    Activity Detail
    Ismailia, Egypt attempted a failed login using an invalid username “admin”. https://www.freya.nl/wp-login.php
    11-2-2020 15:58:37 (-470 seconds ago)
    IP: 41.39.124.254
    Human/Bot: Bot
    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0

    ?xample from access log :
    200.68.137.219 – – [10/Feb/2020:14:55:11 +0100] “POST /wp-login.php HTTP/1.0” 200 3632 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”

    Most requests come from the far east.

    Update:
    Instead of blocking all the ip’s (ranges), I have now added to .htaccess the following :

    RewriteCond %{HTTP_USER_AGENT} “=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
    RewriteRule ^ – [F,L]

    This returns a 403 (forbidden) and i don’t see the endless stream of login attemps anymore under Life traffic (but they still are coming of course).

    I’m very curious how this (bad bot) can do so many requests from so many countries and why they are not blocked on user login names which i would have expected.

    Regards

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)

  • Hey @webmasterfreya,

    I’m happy to hear you were able to block the requests using the htaccess file. Live Traffic will still log attempts, whether they be successful or not.

    I’ve spoken with the developers about this. They ran some tests with the empty referrer and it doesn’t seem to affect it, which is what they were expecting to see.

    They’ve mentioned the most likely reason it fails is due to another plugin using the login hooks, which returns a response that we don’t expect from WordPress. They’re discussing better ways to handle this moving forward.

    Thanks,

    Gerroald

    Thread Starter webmasterfreya

    (@webmasterfreya)

    Gerroald, Thanks for your reply.
    I have a plugin Manual User Approve and Buddypress that fiddle with registration and login.

    Thread Starter webmasterfreya

    (@webmasterfreya)

    PS Live Traffic does not show the 403 messages, but access-ssl-log does.

    e.g.
    179.232.100.10 – – [11/Feb/2020:21:14:32 +0100] “POST /wp-login.php HTTP/1.0” 403 1423 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”

    Hey @webmasterfreya,

    Ah, yes. If it’s not able to make it to the WordPress PHP application-level Wordfence can’t record it.

    I’ll be sure to share the Manual User Approve and Buddypress plugins with them for testing. I’ll install them on my site too. If we can track the particular plugin(s) interfering it’ll help with creating a better flow on our end.

    Please let us know if anything else comes up.

    Thanks,

    Gerroald

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Blocked user names doesn’t work for certain http_user_agent’ is closed to new replies.