• Resolved lrnarasimhan

    (@lrnarasimhan)


    I am getting a lot of accesses to invalid php files on my single owner/poster blog. If I set /*.php in “Immediately block IPs that access these URLs” will I block myself from posting, maintaining, and/or otherwise using the site?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Hi @lrnarasimhan,

    You run the risk of accidentally blocking yourself from your own site.

    It would be better to block specific pages instead of all .php pages.

    You might get blocked when you access admin-ajax.php, which is commonly accessed within the dashboard of wp-admin.

    Dave

    Thread Starter lrnarasimhan

    (@lrnarasimhan)

    Thanks, that was I was worried about. Unfortunately, they keep coming up with random php filenames. I will avoid the global php block as you suggested.

    Hi again,

    What I can recommend is changing your Rate Limiting settings.

    1. Go to Wordfence -> All Options -> Rate Limiting
    2. Change If a crawler's pages not found to 10 per minute then block it
    3. Change If a human's pages not found to 10 per minute then block it
    4. Change How long is an IP address blocked to 6 hours

    For example: https://i.imgur.com/n5XVqus.png

    You can change these settings around, and these settings should block these blocks that access random PHP page visits (which will likely result in a 404).

    Dave

    Thread Starter lrnarasimhan

    (@lrnarasimhan)

    Thank you, I’ve played with these a bit but these are not rapid attacks – they happen in bursts, a few at a time. They don’t trip these sensors. I will periodically trawl the logs for 404s and manually block the offenders.

    Hi, most of the criminal attack bots hit lots and lots of file names. That’s a weakness, as you can trap them by placing a list of common attack vectors in the “Immediately block URLS” list, in Wordfence (see All Options). I spent some time tuning this, but it’s been running pretty much on its own now for many months, resulting in a ton of block. Below is an _EXAMPLE_ of the sorts of stuff one might place on the list. DO NOT COPY PASTE, AS SOME OF MY ITEMS MIGHT RESULT IN FALSE POSITIVES. MTN

    /—–NOTE-url-must-not-exist-on-server
    /—–NOTE–dots-periods-for-suffix-not-substituted-by-wildcard
    /—–NOTE-all-case-sensitive-no-thanks-wordfence
    /author/*//wp-login.php
    /author/*/wp-login.php
    /author/*/wp-login.php*
    /*/*login=go%21&H=
    /*/*/*login=go%21&H=
    /administrator/*
    /administrator/index.php
    /administrator
    /administrator/
    /*/administrator/*
    /admin
    /admin/
    /admin/*
    /Admin/*
    /admin.php
    /adminzone
    /wp-login
    /*/wp-login
    /*/wp-login.php
    /*/*/wp-login.php
    /wp-login.php*
    /login.html
    /login
    /*/node/add
    /node/add
    /*/*/ckeditor-for-wordpress/*
    /*/ckeditor-for-wordpress/*
    /dev/*
    /deV/*
    /Dev/*
    /data/*
    /data/*/*
    /.git/*/
    /*/*/thecartpress/*
    /*/thecartpress/*
    /wp-content/*/*/a-a.css
    /a-a.css
    /wp-content/*/*/gallery-plugin.php
    /gallery-plugin.php
    /whitehat
    /plugins/lim4wp/editor_plugin.js
    /*/plugins/lim4wp/editor_plugin.js
    /*/plugins/xerte-online/logo.png
    /user-photo/admin.css
    /*/plugins/user-photo/admin.css
    /*/mac-dock-gallery/bugslist.txt
    /*/*/mac-dock-gallery/bugslist.txt
    /*/*/*/destination.php

    Thread Starter lrnarasimhan

    (@lrnarasimhan)

    This is very helpful, thank you. I do see some of the same attacks on my site. I’ll use this as a guide to blocking (and I won’t blindly copy/paste per your suggestion.)

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Should I block anyone/bot that accesses a php file on my site?’ is closed to new replies.