Our website is made possible by displaying online advertisements to our visitors.
Please consider supporting us by disabling your ad blocker.
-
A good reason not to use Wordpress
I have a WordPress blog on my server. Most of the time it just sits there not doing much. Fine. But lately the server has been slowing down noticeably.
The reason for this is bots from all over the world trying to exploit XMLRPC calls. While it's not unique to WordPress sites, they're a ripe target for this kind of attack.
So, you say, you keep your WordPress up to date along with all the plugins, but these hack attempts eat bandwidth you could be using to serve your site to customers.
I've had a fail2ban system set up for a while to try & nip this in the bud but the bots still keep coming & slowing down the server. They're mostly from Eastern Europe, China & Russia. It's got to the point where I'm considering taking the blog down so I'm no longer a target.
Any thoughts? Over to you...
-
My first thought would be to change server, as surely it's the server's firewall letting these bots in?
Scott.
SC Events |
Facebook
Professional Conference & AV Services, Corporate Entertainment, Equipment Hire and DJs
-
fail2ban is being used in conjunction with the servers firewall.
If a client makes too many incorrect requests it gets banned.
Three strikes & they're out!
Hunky dory, except when the remote bots hammer the system for up to half an hour with thousands of requests per minute. It's not quite a DDoS attack but makes things lag badly.
If I'm to keep the blog I think it has to move.
Or I could just try a new firewall rule...
And all this is ignoring the sheer volume of bots trying to get in as root, access stuff which I don't even have like cpanel, phpmyadmin...
Last edited by Nakatomi; 23-04-2015 at 09:58 AM.
-
Originally Posted by
SC Events
My first thought would be to change server, as surely it's the server's firewall letting these bots in?
It's actually quite difficult to correctly identify a bot. There is a good chance that they are sending a valid useragent string, identifying it as valid IE/Chrome etc.
Potentially you could block the IP address as each request comes in, but from experience, IP's are probably fake and keep changing, so would be and endless attack
Again, some bots you wish to allow access, google/bing etc
-
Originally Posted by
fullcontact68
It's actually quite difficult to correctly identify a bot. There is a good chance that they are sending a valid useragent string, identifying it as valid IE/Chrome etc.
Potentially you could block the IP address as each request comes in, but from experience, IP's are probably fake and keep changing, so would be and endless attack
Again, some bots you wish to allow access, google/bing etc
For most of the traffic my server sees it's actually very easy to spot the evil bots looking for holes. Xmlrpc ones are a dead giveaway, as are ones looking for phpmyadmin, CGI exploits etc.
All the repeated access attempts come from the same IP address. I block them after 3 attempts but they still keep trying which eats bandwidth. Then the next one comes along using a different IP...
I still compile abuse reports & send them to ISPS but a fat lot of good that does.
It's not until you have your own internet facing server that you realise what a scummy place it is out there. My server is nothing & yet has to cope with dictionary password attacks over SSH, FTP.. all day every day.. All just to make my server a cog in their nefarious machine.
Last edited by Nakatomi; 23-04-2015 at 10:11 AM.
-
-
Web Guru
And if you know you don't want or need XML-RPC at all, disable it completely: https://cm.org.uk/wordpress/how-to-p...ingback-abuse/
I'd personally use the .htaccess method...
-
No, this is a load of bots hammering my server trying to do xmlrpc calls with a post method. I counted over a thousand in a minute at lunchtime.
Thankfully the server host got on top of it for me & blocked them. The server firewall want working because the IP addresses were spoofed.
As for a 'better' host, if I'd had gone for just single hosting I'd be filtered by them already. But me being a cheapskate.... Hosting 3 sites for less than a tenner with the option to host even more. It doesn't take that much looking after.
-
Originally Posted by
Marc J
Problem is it won't stop these idiots trying. Much more of this lark & I'm signing up for cloudflare. I didn't even know about that, so thanks!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules