Fun with Bots

  • Resolved mountainguy2

    (@mountainguy2)


    7 years, 5 months ago

    Just a friendly suggestion from a heavy WF user.

    I noticed I was being attacked by bots on various URLs for the file setup-config.php so I set up a honey trap using the “Immediately Block URL” in Wordfence Options.

    As far as I can tell from reading WordPress Codex, setup-config.php is only used for new WordPress installs, it’s thus what I’d call vestigial (and incidentally is an example of another aspect of WordPress that unnecessarily attracts bots and uses up bandwidth.)

    Setup-config.php exists in most WordPress installs as /wp-admin/setup-config.php, so for the most effective honey trap FTP into your WordPress install /wp-admin/ folder and rename the pesky bot attractor to something like /wp-admin/setup-config-renamed0986789.php then add the following to your Wordfence “Immediately Block URLs” and watch the fun via your Wordfence “Blocked” list. (The attacks I’m getting include URLs with more folders-directories than just one, so following has up to three steps to catch all the attacks).

    /*/setup-config.php
    /*/*/setup-config.php
    /*/*/*/setup-config.php

    Remember that due to the way Wordfence works, if a URL for a file exists the “Block URL” won’t function. Hence, the renaming of setup-config.php.

Viewing 4 replies - 1 through 4 (of 4 total)

  • Great tip, MTN – thanks!

    Thread Starter mountainguy2

    (@mountainguy2)

    I’ve been watching my bot attacks pretty closely as my server is always on the verge of getting more expensive due to needing more bandwidth, so I’ve got a financial incentive. I have a theory that due to the prevalence of Wordfence and various forms of blocking, the WordPress attack botters are getting desperate and throwing a lot more random stuff out there to see what will stick. If we all do our part, if millions of us do proactive bot blocking as well as Wordfence constantly upping their game, I’d hope the bandwidth used by useless bots will gradually diminish.

    For example, I’ve noticed that since Wordfence implemented their IP blacklist, my blocked attack URLs list has been reduced by about half. It was a very noticeable change.

    One thing Wordfence and WordPress could do is start addressing the problem of standardized WordPress attack vectors such as xml-rpc.php, setup-config.php and wp-login.php. If they came up with a programmatic way of hiding all those things from bots, enabled by a simple mouse click of a checkbox in Wordfence, the world would be a much much better place.

    MTN

    Thread Starter mountainguy2

    (@mountainguy2)

    Today, more attacks on setup-config.php, I researched and it’s said that WordPress version 3.3.1 and prior indeed was vulnerable to some sort of hack using this file. Of course all of us here are well past that version in our upgrades, but interesting nonetheless to see how the hackers are always botting around for older versions of WordPress they can compromise. Point of my attention to this is it’s always good to block a bot, no matter what, as you never know what they’re going to attack next. Oh, and as the experts say, always run the latest version. MTN

    That’s interesting @mountainguy2 , Thanks for sharing this!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Fun with Bots’ is closed to new replies.