ElviraKate
Forum Replies Created
-
Thanks from me too. I have just broken my wrist 🙁 so fiddling around with WP plug-ins is no fun right now. I’ll hold on and hope that everything works out. And will keep subscribed to this thread, so please everyone – especially Daniel! – say if you find any security problems arising from it.
Well, thisn’t any good, is it? Can anyone recommend another slider plug-in?
Hi wfann – it’s not resolved, in fact, but I don’t have time to spend on it for the next few weeks. FWIW I think the CPU usage is better since the tweaks, but the number of faults is as large. It may be an optimisation question, but I can’t do that right now. As long as the sites are working!
thanks to you and the Mountain Man for your help.
Hi wfalaa, thank you for this In fact the attacks on xml-rpc are always just one at a time. They don’t bother me as much as the wp-login.php ones. Yes, all the hits got a 503 response – but that doesn’t stop the server complaining.
I just long for the dear old days of simple html. I still have a couple of sites working that date back well over ten years, they don’t look brilliant on phone screens but they do a very simple job and no-one ever attacks them….
I shall have to consider Premium Wordfence, though the charities I’ve made the sites for can’t really afford it. It does seem not only grossly unfair but deeply stupid that a site that has absolutely no financial assets whatsoever should be so relentlessly attacked.
heigho, onwards and upwards. Thank you again for your engagement.
Thank you again for your response – I understand now. I’ve blocked it on the server, but am afraid that it’s likely it was a one-off use of that particular IP, don’t you think? I have now designated a larger block, putting 1-255 for the last number, which shouldn’t I hope block anyone legit. But all this seems like stable doors and unlimited supplies of bolting horses…
Interestingly, we have comments disabled, no trackbacks or pingbacks, and my shared hosting provider has disabled the phpmail facility anyway, so I haven’t noticed anything targeting those files.
I haven’t encountered a Wordfence error message. I’ll have a look here to see what it does.
I’d thought about blocking countries – but we are though small, also international, and I wouldn’t want to block anyone legitimate.
Thank you again for all your help. Off to research xmlrpc and error messages….
Hi all – I already had ‘immediately lock out invalid usernames’ checked, and I have Loginfailures blocked after 3 attempts. It doesn’t seem to stop them having four goes (plus a go at /xmlrpc.php). but the CPU usage has massively dropped since adding mountainguy’s suggestions. I can’t thank you enough!
One thing I noticed today, though, was a ‘struts’ attack, but it doesn’t seem to have upset the CPU nor did it manage to get through my or my hosting providers security. Keeponmg my fingers crossed and hoping for a bit of peace and quiet now!
Kate
Fantastic, thank you. Will have a go!
Thank you, mountainguy, that’s really helpful. I’m now looking at the ‘failed requests’ in CPanel’s ‘analog stats’ to get an idea of what I could block. Is that the right place to look? Can I just cut-and-paste your list as well?
Is there any way to block the login requests while letting in the legitimate users (there are only three of us!)?
regards
Hi, I sent in all the logs and scans to [email protected] (attn Wfyann) before the weekend. Did you get them?
regards
OK, thanks very much for helping. I have two sites which behave slightly differently. Neither has ‘scan files outside WP’ ticked.
I can’t paste screenshots here, there doesn’t seem to be an option to upload images. Have I missed something? I do see, though, that there are many more cronjobs than I thought there would be, and that one site has more than the other, although WF is configured the same, and the site that has more features neither posts nor comments.I’ve enabled debugging and will send you the scan logs tomorrow. So far, though, this is what has been happening on the first (fewer cronjobs) site in the last few days:
[Apr 03 00:23:27:1491175407.901479:1:info] Scheduled Wordfence scan starting at Monday 3rd of April 2017 12:23:27 AM
[didn’t complete][Apr 03 07:10:10:1491199810.099242:1:info] Scheduled Wordfence scan starting at Monday 3rd of April 2017 07:10:10 AM
[Apr 03 13:00:13:1491220813.032734:1:info] Scheduled Wordfence scan starting at Monday 3rd of April 2017 01:00:13 PM
[Apr 04 08:08:27:1491289707.637843:1:info] Scheduled Wordfence scan starting at Tuesday 4th of April 2017 08:08:27 AM[Apr 04 08:11:01:1491289861.080705:1:info] Scan Complete. Scanned 2025 files, 5 plugins, 2 themes, 64 pages, 0 comments and 27868 records in 2 minutes 30 seconds.
[Apr 04 20:27:26:1491334046.650243:1:info] Scheduled Wordfence scan starting at Tuesday 4th of April 2017 08:27:26 PM
[Apr 04 20:29:25:1491334165.205375:1:info] Scan Complete. Scanned 2025 files, 5 plugins, 2 themes, 64 pages, 0 comments and 28143 records in 1 minute 55 seconds[Apr 05 01:45:15:1491353115.069025:1:info] Scheduled Wordfence scan starting at Wednesday 5th of April 2017 01:45:15 AM
[Apr 05 01:47:44:1491353264.037868:1:info] Scan Complete. Scanned 2025 files, 5 plugins, 2 themes, 64 pages, 0 comments and 28357 records in 2 minutes 25 seconds.Am finding this all very confusing! Sorry!
Live Traffic View is disabled and has never been activated on either site. Low resource scanning is enabled.
I forgot to mention that I have two sites with WF installed. One seems to work less intensely than the other, but it is a bit smaller (130MB, the other is 190MB). The larger one generates a high fault count and uses a lot more CPU.
I’m puzzled by the scan intervals and the number of files mentioned.For a start the timestamp is an hour out (still on GMT), secondly the intervals are odd – on one site the April 1st scan was at 22.09, April 2 at 18.43, April 3 at 18.14; on the other the April 1st scan was at 6.57, April 2 at 00.47, April 3 at 00.25, with two more scans apparently scheduled but not run, at 7.10 and 13.00. Is this expected bahaviour?
And is it usual to scan up to 3900 or so files, plus hundreds of additional files? I didn’t think there were that many in the folders!
I’m just concerned that the slightly larger site seems to hit the CPU limit consistently while scanning, while the other doesn’t.I’ll leave the attempted logins for another time till I’ve sorted this CPU problem out.
Images etc is already unchecked, I’ve excluded pdfs, but other than images I don’t have any other non-WP files. Are there any other obvious file-types or folders I can exclude? The problem is not that the scans take a long time, they don’t – they just hammer away, at intervals that are much smaller than 24 hours. Why would they do that?
Also, I reset the firewall settings to block IPs that attempt logins more than 3 times, the program doesn’t recognise this and only stops them after 5 attempts. This isn’t really important, just a bit annoying – and goes to ramp up CPU usage as well.
Any ideas as to what might have gone wrong and how I can fix it?
OK, thanks very much for this, here we go:
Server API: GoodSite: CGI/FastCGI; BadSite: the same
Loaded Configuration File: GoodSite: /opt/alt/php70/etc; BadSite: /opt/cpanel/ea-php71/root/etc
PHP Version: GoodSite: 7.0.17 BadSite: 7.1.3
cURL Support: GoodSite: 7.36.0 BadSite: Fail
cURL Information: can’t find this for either site.Lightbulb moment! I changed the PHP version to 7.0,17 and cURL Support appeared, and I was able to download the Firewall rules without problem.
It just takes an expert to know where to look! Thank you HUGELY.
with very best wishes
Kate