IvanRF

I checked and the error log does not have corresponding logs for those times and tons of attempts.

It’s definitely something with GoDaddy. Tired of seeing 500 errors with xmlrpc.php, I disabled it and added a “Deny from all” for that file in .htaccess. In my test server I got the 403 forbidden response, but in GoDaddy server the response is 404 Not Found. Now, the hack attempts cause 404 and 503 response codes.

David, I know what the options mean.

However, WordPress is moving all plugins/themes translations to translate.ww.wp.xz.cn and all those files go to “/wp-content/languages/”. If a user selects to exclude plugins and themes from backups, those files should be excluded too.

Am I clear with the concept? I’m not talking about paths in the server, but the concept of plugins and themes files.

By chance, I was in my host cPanel and a lot of Entry Processes appeared. Then, all my resources went to Red. I checked the log and there was one IP doing a DDoS attack:

91.207.158.91 - - [04/Oct/2015:17:12:11 -0700] "GET /wp-includes/pomo/?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 500 68288 "-" "-"
91.207.158.91 - - [04/Oct/2015:17:12:12 -0700] "GET /wso.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 500 68272 "-" "-"
91.207.158.91 - - [04/Oct/2015:17:12:32 -0700] "GET /info.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 500 276 "-" "-"
91.207.158.91 - - [04/Oct/2015:17:12:36 -0700] "GET /wp-content/218.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 500 276 "-" "-"
91.207.158.91 - - [04/Oct/2015:17:12:37 -0700] "GET /wp-content/lib.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 500 276 "-" "-"
...

Again, from their first attempt they got a 500 code. However, they were still eating my resources.

Wordfence was not able to block this, surely because my host was in the middle (I guess). I had to manually block the IP in my server. Unfortunately, I disable Live Traffic so I can’t say if Wordfence logged something.

If I try to log in through WordPress interface, the log differ a bit. However, I do see the login attempt in the Dashboard.

So, maybe they tried ‘administrator’ with an empty password through code (not UI).

Then, if the cause was that, since I have the option “Immediately lock out invalid usernames” selected, that attempt should have been blocked and not listed in the Dashboard. I mean, they used an invalid username.

I’ve just sent you the token

I use an absolute path on browserconfig.xml. At least, now I know I’m not crazy :). I will search where to inform this Microsoft Edge bug. Thanks!

Here is an screen-shot of the Dashboard report.

Also, I didn’t receive a mail “User locked out from signing in” from that IP. I got tons of mails from users locked out but none from that last IP.

Based on the log that I sent, do you think this is an Edge bug?

It’s trying to get an image on the wrong URL.