Obvious Probing

  • Joe

    (@joecole1)


    9 years, 6 months ago

    hack attempts?

    I get several queries like this daily. This, to me, is obviously probing for the easy hacks that Wordfence blocks. Should I be concerned about getting these IPs blocked as they probe like this or rest assured that they aren’t getting anywhere by doing so?

    If I need to be worried, what rules do I need to set so that this type of behavior is blocked?

    Thank you.

Viewing 3 replies - 1 through 3 (of 3 total)
  • bluebearmedia

    (@bluebearmedia)

    9 years, 6 months ago

    Long time Wordfence user here…

    You can use a plug-in like WPS Hide Login to create a custom dashboard page URL instead of the WP default of wp-login, then use Wordfence option “Immediately block IPs that access these URLs:” to block IPs trying to probe for it.

    • This reply was modified 9 years, 6 months ago by bluebearmedia.
    mountainguy2

    (@mountainguy2)

    9 years, 5 months ago

    In my experince (not associated with Wordfence, but do a lot of work with WordPress/Wordfence, it’s wise to watch your bot traffic and customize Wordfence so you’re blocking as much as possible. That way if you get a surge in bot traffic it’s less likely to use so much bandwidth that you end up with a defacto DOS attack that shuts down your site due to a bandwidth limit, or ends up costing more money.

    In my case, I’ve found that once I fine tune, I then set up the blocking interval to be 48 hours or more, quite effective.

    As Bluebear says, first step is to cure the defective WordPress login URL by using WPS Hide Login to make a secret login URL, then block the probes. While your’e in the “Immediately block IPs” dialog, practice using wildcards etc.

    Further, I block quite a few URLs that the bots tend to attack, over a hundred, actually. The idea behind this is many bots attack multiple URLs, if you can have one URL that stops that bot, it’ll be much less likely to find a vulnerability, and it’ll use less of your bandwidth. Following are some examples from my “Immediately Block” list. This is stuff Wordfence should be blocking by default if it’s an attack vector, or at least providing a more automated way to get these into a list, not sure why they do not, but whatever, at least they provide a way for us end users to do it.

    /wp-login
    /*/wp-login
    /wp-login.php
    /*/wp-login.php
    /wp-login.php*
    /login.html
    /login
    /author/*//wp-login.php
    /administrator/index.php
    /administrator
    /administrator/
    /*/node/add
    /node/add
    /*/*/ckeditor-for-wordpress/*
    /*/ckeditor-for-wordpress/*
    /*/*/thecartpress/*
    /*/thecartpress/*
    /data/wallet.dat
    /wp-content/*/*/a-a.css
    /a-a.css
    /wp-content/*/*/gallery-plugin.php
    /gallery-plugin.php
    /whitehat
    /plugins/lim4wp/editor_plugin.js
    /*/plugins/lim4wp/editor_plugin.js
    /xerte-online/logo.png
    /*/plugins/xerte-online/logo.png
    /user-photo/admin.css
    /*/plugins/user-photo/admin.css
    /*/mac-dock-gallery/bugslist.txt
    /*/*/mac-dock-gallery/bugslist.txt
    /MySQLDumper
    /*/*/*/destination.php
    /front-end-upload/destination.php

    Thread Starter Joe

    (@joecole1)

    9 years, 5 months ago

    Thank you, this was an extremely helpful post!

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Obvious Probing’ is closed to new replies.