499 error GET wp-login.php errors in logs

You are running under a Nginx web-server..
499 is used by Nginx to tell you that the client closed the connection before the web-serve could manage to respond. Which is in itself unusual.

It could be that the client is ACTUALLY closing, or that you have separate security in front of your web-server that catches the attacks and closes the back-end connection to your site. All depending on your configuration.

If front-end security is setup correctly though, your web-server should never even see a connection. I do it that way myself. I do NOT want to even waste time “talking” to these hacker-bots, so I simply slam the door (close the connection) on them with no other response. (Same method I use on Tele-Marketers when they call. 🙂 )

On why NGinx has to be restarted/rebooted, something in your site is stopping your NGinx server from closing the connection probably. Back-end processing in NGinx, a plugin or even WordFence logging that haven’t happened yet, MemCached not responding (if used), got stuck waiting on the DB server, …, … An endless list of things could slow down your server’s response the the remote closure. Need to be debugged.

If the brute force attack comes in fast enough, the server can end up using up all it’s available TCP connections, and hence cannot respond anymore. No more free rooms (connection entries) at the inn.

If you do a ‘netstat’ or ‘netstat -a’ from the command line, you will likely see all these open connections.

Watch the State column.. If the TCP State is ‘CLOSE_WAIT’, that means that the remote end sent a FIN to close the connection, but your operating system is waiting for your local process (Nginx I assume for now) to close it before the records can be freed up.

Depending on how many available connections are configured, you can as mentioned run out of space for new connections, and you will see that as no response from the server.

One of the ways to take down a web server if it cannot respond and clean up fast enough. 🙂

Hi @jlee2027,

Indeed, the error code (499) indicates that the client closed the connection before the web server managed to respond.

Now there are several possible reasons why this is happening.

It could be something upstream closing the connection; but it could also be caused by the server being too slow to respond or some configuration issue.

In all cases I strongly advise you get in touch with your hosting provider so they can further investigate and identify the cause of this behaviour.

Hi @jlee2027,

Thanks for the feedback.

In case it applies you could use the “Block IP’s who send POST requests with blank User-Agent and Referer“ feature (Wordfence -> Options -> Other Options section).

Also if you identify a pattern in the User-Agent you could block requests with such User-Agent by specifying it in the “User-Agent (browser) that matches” field (Wordfence -> Blocking -> Advanced Blocking).

Let me know if this helps.