Increased attack speed

  • Resolved WWW_Marieke

    (@www_marieke)


    4 years, 7 months ago

    Hi!

    I get a lot of emails about Increased attack speed for all my websites:

    http://www.whatawonderfulwedding.nl
    http://www.whatawonderfulday.nl
    http://www.whatawonderfulchristmas.nl
    http://www.despelletjesvrienden.nl

    Example email:

    De Wordfence webapplicatie firewall blokkeerde 116 aanvallen de laatste 10 minuten. Hieronder een voorbeeld van de laatste aanvallen:oktober 20, 2021 7:52am  161.35.84.229 (Nederland)     Geblokkeerd voor LFI: Local File Inclusion in bericht body: 0 = /home/654937.cloudwaysapps.com/mzrjuhbaee/public_html/wp-includes/js/jquery/jquery.min.js
oktober 20, 2021 7:52am  161.35.84.229 (Nederland)     Geblokkeerd voor LFI: Local File Inclusion in bericht body: 0 = /home/654937.cloudwaysapps.com/mzrjuhbaee/public_html/wp-includes/js/jquery/jquery.min.js
oktober 20, 2021 7:52am  161.35.84.229 (Nederland)     Geblokkeerd voor LFI: Local File Inclusion in bericht body: 0 = /home/654937.cloudwaysapps.com/mzrjuhbaee/public_html/wp-includes/js/jquery/jquery.min.js
oktober 20, 2021 7:52am  161.35.84.229 (Nederland)     Geblokkeerd voor LFI: Local File Inclusion in bericht body: 0 = /home/654937.cloudwaysapps.com/mzrjuhbaee/public_html/wp-includes/js/jquery/jquery.min.js
oktober 20, 2021 7:52am  161.35.84.229 (Nederland)     Geblokkeerd voor LFI: Local File Inclusion in bericht body: 0 = /home/654937.cloudwaysapps.com/mzrjuhbaee/public_html/wp-includes/js/jquery/jquery.min.js
oktober 20, 2021 7:52am  161.35.84.229 (Nederland)     Geblokkeerd voor LFI: Local File Inclusion in bericht body: 0 = /home/654937.cloudwaysapps.com/mzrjuhbaee/public_html/wp-includes/js/jquery/jquery.min.js
oktober 20, 2021 7:52am  161.35.84.229 (Nederland)     Geblokkeerd voor LFI: Local File Inclusion in bericht body: 0 = /home/654937.cloudwaysapps.com/mzrjuhbaee/public_html/wp-includes/js/jquery/jquery.min.js
oktober 20, 2021 7:52am  161.35.84.229 (Nederland)     Geblokkeerd voor LFI: Local File Inclusion in bericht body: 0 = /home/654937.cloudwaysapps.com/mzrjuhbaee/public_html/wp-includes/js/jquery/jquery.min.js
oktober 20, 2021 7:52am  161.35.84.229 (Nederland)     Geblokkeerd voor LFI: Local File Inclusion in bericht body: 0 = /home/654937.cloudwaysapps.com/mzrjuhbaee/public_html/wp-includes/js/jquery/jquery.min.js
oktober 20, 2021 7:52am  161.35.84.229 (Nederland)     Geblokkeerd voor LFI: Local File Inclusion in bericht body: 0 = /home/654937.cloudwaysapps.com/mzrjuhbaee/public_html/wp-includes/js/jquery/jquery.min.js

    I tried to find the sollution on this forum, but I couldn’t figure it out. I also contacted my server company (Cloudways) and they said:

    We have looked into the server load history and can see that there is not any attack on your websites but the excessive load comes from the huge amount of admin ajax requests. You can see the IP you are getting in wordfence is the server IP XXXXXX to which the ajax requests are associated.

    We believe this notices generated by Wordfence are false positive since these following files requested “wp-includes/js/jquery/jquery.min.js” are a part of WordPress Core files.
    In this case, we highly suggest checking if there is a way to exclude these files from alerts in Wordfence.

    It would be necessary to help reducing these False Positive results from Wordfence itself.

    Could you help me with this?

    Kind regards,
    Marieke

    The page I need help with: [log in to see the link]

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Support WFAdam

    (@wfadam)

    4 years, 7 months ago

    Hello @www_marieke and thanks for reaching out to us!

    These ajax calls can happen from a large number of blocks hitting the site or even potentially the site might be running a scan and blocking requests. A diagnostic might help me troubleshoot the issue for you.

    Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

    NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

    Thanks again!

    Thread Starter WWW_Marieke

    (@www_marieke)

    4 years, 7 months ago

    Hi,

    Thank you so much!!

    I did send the reports for all 4 websites:
    http://www.whatawonderfulwedding.nl
    http://www.whatawonderfulday.nl
    http://www.whatawonderfulchristmas.nl
    http://www.despelletjesvrienden.nl

    Also, Cloudways (my hosting) did send me this this morning:

    “Also, the requests on “wp-includes/js/jquery/jquery.min.js” looks to be connected to “/wp-json/complianz/v1/banner/?lang=nl&locale=nl_NL&token=sqzxo” This would also cause issues on high load on the server.”

    Thanks again!

    Kind regards,
    Marieke

    Stretl

    (@stretl)

    4 years, 7 months ago

    Hi,
    I have the same problem
    The Wordfence Web Application Firewall has blocked 140 attacks over the last 10 minutes. Below is a sample of these recent attacks:October 22, 2021 3:32pm 2a01:238:20a:641:100:0:48:6 (Germany) Blocked for LFI: Local File Inclusion in POST body: 0 = /mnt/web008/d0/95/52059695/htdocs/Travelchannel/wp-includes/js/jquery/jquery.min.js…
    for my blog https://blog.myvideomedia.com and my website myvideomedia.com shall I send a diagnostic report too?

    Plugin Support WFAdam

    (@wfadam)

    4 years, 6 months ago

    Sorry for the delay @www_marieke

    I think I see what is causing the JQuery hits. It looks like you have WP Rocket running, which I have seen these LFI errors on before.

    Enable Learning Mode for a few days to correct this issue.

    From the Wordfence Dashboard click on Manage WAF. Then you will see Basic Firewall Options > Web Application Firewall Status. Change the option to Learning Mode.

    Let me know if this corrects the issues!

    @stretl As per forum guidelines below, could you please open your own topic and we would be glad to assist you:
    “Unless users have the exact same version of WordPress on the same physical server hosted by the same hosts with the same plugins, theme, and configurations, then the odds are the solution for one user will not be the same for another. For this reason, we recommend people start their own topics.”

    Thanks again!

    Stretl

    (@stretl)

    4 years, 6 months ago

    Sorry, as I couldn’t see the versions and I thought it was a general issue. However, it disappeared in the meantime. ( I also have WP Rocket running and installed the latest update)

    Plugin Support WFAdam

    (@wfadam)

    4 years, 6 months ago

    Thanks for the update @stretl – Glad its working!

    Thread Starter WWW_Marieke

    (@www_marieke)

    4 years, 6 months ago

    @wfadam It disappeared over here too! I updated WP Rocket and Complianz (Cloudways, my hosting, send me this: “Also, the requests on “wp-includes/js/jquery/jquery.min.js” looks to be connected to “/wp-json/complianz/v1/banner/?lang=nl&locale=nl_NL&token=sqzxo” This would also cause issues on high load on the server.”

    So maybe it was a problem with one of those plugins?

    Kind regards,
    Marieke

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Increased attack speed’ is closed to new replies.