/xmlrpc.php attack and strange "word fence_logHuman=1&hid …" activity.

Hello Show Up Strong,
unless you are using some remote service to access your WordPress installation which would require /xmlrpc.php you can set Wordfence to instantly block anyone who tries to access that file.

Check Wordfence “Options” page and find the setting “Immediately block IP’s that access these URLs:”. Enter /xmlrpc.php there and save. See if it helps.

Thank you! Do I need to put the *wildcard in front of it?

Do you know anything about the “?wordfence_logHuman…” hits? I’m getting a bunch of those too.

Wfsa, doesn’t Show Up Strong also need to rename or delete /xmlrpc.php from the site root for that to work? I thought “Immediately Block Ip’s” option in Wordfence only worked if the URL/file did not exist. Thanks for any clarification. MTN

Hi mountainguy2, it seems to be working to block any ip attempting to hit it. I’m still getting hit every three minutes with login attempts, but that part is working now. I did use the * wildcard.

Show Up Strong, wordfence_logHuman is a method we use to differentiate between bots and human visitors. Are you using the latest version of Wordfence?

mountainguy2, no you don’t need to delete it. You can instantly block anyone who tries to access any URL on your site no matter what response code the URL would have returned.

Thanks wfsa, good to know that was improved/changed. Makes things much easier here at our shop. Time for more bot traps!

BTW, it’s worth setting up a VPN so you can test your blocked URLs yourself when using wildcards and such. I just fire up my VPN on a laptop I have sitting here next to me, and attempt to attack my own site using one of my blocked URLs, nice to immediately know if the block is working, as well as seeing the block message and so forth.

MTN

I’ve been seeing these “?wordfence_logHuman…” entries in the logs of all my sites using Wordfence since updating to version 6… and it’s been occurring with all updates since then as well.

I’ve just been ignoring them as they seemed to be innocuous, but I am curious about them.

Show Up Strong,
I want to add that if you are seeing strange redirects on your site there is a likelihood you have been hacked even if the redirects resolve to a 404. I suggest you do an extensive scan with Wordfence (you can try high sensitivity) and perhaps manually check your .htaccess, wp-config.php and themes functions.php to make sure they are clean.

bluebearmedia,
it is normal to see “wordfence_logHuman” entries in your logs. It indicates that something that Wordfence thinks is a human visited your site. It only happens if you have live traffic enabled.

Question: If you have code in .htaccess which effectively blocks hits/attacks on xmlrpc.php, will those attempted-attack hits still show (as blocked, presumably) on the Live Traffic screen?

wfasa,

Thank you for the information. After my last scan, Wordfence no longer showed I have a problem. I’ve set up a premium SSL, in hope of not getting hacked again. I have my settings on High Sensitivity at all times, as my site seems to get attacked more than any business owner I know.

As far as manually checking those files, I have no idea how to do that.

I think if got the .htaccess file cleaned out. Thank you for your help!

kaspar,
no they will not.

Show Up Strong,
thanks for the update. I hope you are able to keep your site clean.

I’m still having issues with a backdoor somewhere, but I think this is solved for now. Thank you wfasa.