Wadham

p.s. before Google Bot hit it, there was a suspicious hit from that famous for hacking attempts servers of Digital Ocean (all over the world).

Amsterdam, Netherlands visited https://sitename/?LSCWP_CTRL=before_cache
08.04.2020 18:01:03 (11 minutes ago)
IP: 206.189.100.139 Hostname: 206.189.100.139
Browser: undefined
LiteSpeed-Image/2.9.6

I have noticed same thing from Google Bot just today

visited https://SITENAME/?LSCWP_CTRL=before_optm
08.04.2020 18:01:11 (5 minutes ago)
IP: 66.249.93.20 Hostname: google-proxy-66-249-93-20.google.com
Browser: Chrome version 0.0 running on Linux
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36 Chrome-Lighthouse

As it never happened before I realize its caused by plugin LiteSpeed Cache, which I have installed a week ago.

Basically, I made a desicion to remove this plugin after such.

Hey @icks13
You may try to modify your .htaccess file with this:

# Deny SQL injection
RewriteCond %{query_string} concat.*\( [NC,OR]
RewriteCond %{query_string} union.*select.*\( [NC,OR]
RewriteCond %{query_string} union.*all.*select [NC]
RewriteRule ^(.*)$ index.php [F,L]

So you may check how it goes with Wordfence and SQL injinjection after.

Additionaly I have in my .htaccess these commands:

# Block access to PHP files
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ – [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ – [R=404,L]

# Deny access to all .htaccess files
<files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</files>

Hi @wfgerald

Well, I have installed another website today which totally kills the idea of “self blocking on a server level”.

I have installed Worfence, activated a few settings and Live Traffic as well.
List of blocking IP was empty and later on I got same issue, here is a screenshot.

This screenshot shows that wordfence_syncAttackData= appears randomly

Which might proove that “IP blocking” not the reason here.

• This reply was modified 5 years, 1 month ago by Wadham.

Hey @wfgerald,

You’re not actually looking for the IP of the site, but rather the server.

Its a shared WP hosting – when one IP is dedicated for many websites.
So, if I have blacklisted one which belongs to a server (not to a website – which is a bit wierd…) this issue should go all the time. But its not so.

“attack” issue doesnt appear when:
– bots crawl a website
– bots try to access wp-login, theme folder etc.

It appears ONLY when a user browse a website, but sometimes doesnt appear at all. Which means – there is no connection with “blocked IP of server” – cause if it blocks then it goes constantly and if blocked IP of own server and /?wordfence_syncAttackData= error goes together, so it should appear with every another user, but its not so.

• This reply was modified 5 years, 1 month ago by Wadham.

Thanks for reply @wfgerald,

and shouldn’t be creating actual pages to be indexed

But all those URLs I have attached here
are from Google Search Console – all of them have been indexed by Google, so I had to delete them from Google`s index after, thats actually was a screenshot of URLs for deleting.

– If you visit the URLs what do you see?

As far as I remember: nothing or just a redirect to home page, can`t say for sure, I have rid out of this problem few months ago.

Can you ask your host what your server IP
I have checked the IP of my website within rules of blocking – no I didn`t block IP of a website for sure.

But I have a long list of:
Immediately block IPs that access these URLs

I have created one according to annoying requests I have noticed in Live Traffic.

And more related to this:

Can you ask your host what your server IP is then using the filter in Live Traffic to see if it’s been blocked for some reason?

I see this issue ?wordfence_syncAttackData=157 when a random client visits my website – today I have noticed that it appears not everytime, but I cant get the reason why. For example 3 different visiters screenshots

Two of them shows this issue with ?wordfence_syncAttackData=157 and one hasnt this error.

• This reply was modified 5 years, 1 month ago by Wadham.
• This reply was modified 5 years, 1 month ago by Wadham.
• This reply was modified 5 years, 1 month ago by Wadham.
• This reply was modified 5 years, 1 month ago by Wadham.
• This reply was modified 5 years, 1 month ago by Wadham.
• This reply was modified 5 years, 1 month ago by Wadham.

You are welcome. I`m not a geek as well, thats smth.what I have learnt in a period of time when some guys were trying to hack a website I have created.

Yes Wordfence must detect SQL injections correctly. But this thing with .htaccess file is kind of REcheck when all is checked. More to say, there are probably some vulnerabilities in Wordfence as well, maybe they are hard to find and implement. So still .htaccess file is a free option to be more secured.

In my case some guys where trying to reach xmlrpc.php like for 3 months long. Its a well known issue with WP connected with xmlrpc.php which lets to post from phones. Since I dont need this option, first thing what I did (when noticed requests to this file) - I have googled what is for. After I have deleted this file (zipped it before, in case of any issue Im able to extract it), website was just fine, so I have kept it like that.

So, basically instead of those “many many ways” to hack WP they use about 5-10 very common ones. Most of them I have covered with .htaccess

https://yadi.sk/i/EFxcY2EtElUGbw

Such a funny and everyday issue of getting to wp-login.php I have covered with WPS Hide Login. In order to login correctly one need to know right URL
like https://www.cnn.com/anotherfunnystory23youhavetoknow – only after one gets to WP-Login window.

I have added “wp-login” request as a rule in Wordfence to be banned – just to imitate that its covered by Wordfence, but its not so.

Another not harmfull but annoying thing was many attempts to find the name of WP folder at hosting server.

https://yadi.sk/i/nHVhCYEcPk7f3Q

Even there is a pattern Browser: undefined I couldnt block it via Wordfence Rule. But I have cut it via another .htaccess rule.

And I keep backup my website every week and its database as well. So even its hacked – I`ll erase it and reinstall it in 20min.

p.s. www.remarpro.com moderators – please change your patterns of identifying text connected with Hacks, WP Issue and other words. Cause this forum will never be used to post some usefull things about hacking, so why would you even try to cut some text for personal moderation later on ?? Unless you have plenty of time and illusion of control

• This reply was modified 5 years, 1 month ago by Wadham.
• This reply was modified 5 years, 1 month ago by Wadham.
• This reply was modified 5 years, 1 month ago by Wadham.
• This reply was modified 5 years, 1 month ago by Wadham.
• This reply was modified 5 years, 1 month ago by Wadham.
• This reply was modified 5 years, 1 month ago by Wadham.
• This reply was modified 5 years, 1 month ago by Wadham.
• This reply was modified 5 years, 1 month ago by Wadham.

Personally I use right commands in .htaccess file + Wordfence, which used to be ok for a long time.

.htaccess line

# Deny SQL injection
RewriteCond %{query_string} concat.*\( [NC,OR]
RewriteCond %{query_string} union.*select.*\( [NC,OR]
RewriteCond %{query_string} union.*all.*select [NC]
RewriteRule ^(.*)$ index.php [F,L]

and some additional:

# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule>

# Block 64x links
Options +FollowSymLinks -Indexes
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]

# Deny Http headers reading
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* — [F]

# Deny access to all .htaccess files
<files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</files>

• This reply was modified 5 years, 1 month ago by Wadham.