Title: Amazon hammering WP REST API Last modified: March 31, 2018 --- # Amazon hammering WP REST API * Resolved [Wendihihihi](https://wordpress.org/support/users/wendihihihi/) * (@wendihihihi) * [8 years, 2 months ago](https://wordpress.org/support/topic/amazon-hammering-wp-rest-api/) * I’m getting lots of blocked access to WP REST API in the WP Edition log files with Amazon’s IP address. Should I just whitelist this IP address or is there a chance that someone’s using Amazon’s IP address trying to get in? Viewing 6 replies - 1 through 6 (of 6 total) * Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/) * (@nintechnet) * [8 years, 2 months ago](https://wordpress.org/support/topic/amazon-hammering-wp-rest-api/#post-10133461) * Do you have any plugins that could be using the API? Jetpack or similar plugins? Is it always the same IP (you can try to check it reverse DNS to get its hostname)? * [Okoth1](https://wordpress.org/support/users/okoth1/) * (@okoth1) * [8 years, 2 months ago](https://wordpress.org/support/topic/amazon-hammering-wp-rest-api/#post-10135074) * – - This reply was modified 8 years, 2 months ago by [Okoth1](https://wordpress.org/support/users/okoth1/). Reason: not related * Thread Starter [Wendihihihi](https://wordpress.org/support/users/wendihihihi/) * (@wendihihihi) * [8 years, 2 months ago](https://wordpress.org/support/topic/amazon-hammering-wp-rest-api/#post-10135095) * It’s not always the same IP. * 01/Apr/18 08:51:50 #1385181 HIGH – 35.168.8.49 31/Mar/18 04:00:52 #1810593 HIGH– 52.91.121.213 31/Mar/18 05:03:02 #1638348 HIGH – 34.237.91.130 27/Mar/18 02:56: 29 #7903347 HIGH – 34.232.66.130 24/Mar/18 05:53:42 #3610245 HIGH – 52.86.163.5 23/Mar/18 11:18:56 #1773979 HIGH – 54.165.6.113 18/Mar/18 23:56:57 #4059187 HIGH– 34.224.6.191 * All are Amazon Technologies. * Active plugins * akismet all-in-one-seo-pack allow-php-in-posts-and-pages autoptimize banhammer catch-ids easy-noindex-and-nofollow lightbox-gallery mail-on-update map-categories- to-pages ninjafirewall reduce-bounce-rate responsive-video-embeds si-contact- form simple-wp-sitemap stops-core-theme-and-plugin-updates tablepress user-role- editor wp-youtube-lyte * No Jetpack installed. * Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/) * (@nintechnet) * [8 years, 2 months ago](https://wordpress.org/support/topic/amazon-hammering-wp-rest-api/#post-10135156) * Keep blocking them, I don’t see anything good in that list of IPs. There are plenty of Amazon IPs used by hackers. See this NinjaFirewall’s log sample: * ``` 12/Mar/18 19:44:11 #8861828 CRITICAL 1383 34.233.71.75 GET /wp-admin/admin-ajax.php - Unrestricted file upload - [GET:client_action = get_captions_css] 13/Mar/18 09:41:17 #3882688 CRITICAL 1383 52.79.48.26 GET /wp-admin/admin-ajax.php - Unrestricted file upload - [GET:client_action = get_captions_css] 13/Mar/18 10:37:57 #3922335 MEDIUM 306 52.79.48.26 GET /index.php - Bogus user-agent signature - [SERVER:HTTP_USER_AGENT = Mozilla/5.0 (compatible; MSIE 5.0; Windows NT 5.01; Trident/4.1)] 17/Mar/18 22:51:42 #8079525 MEDIUM - 54.204.235.162 GET /wp-login.php - Blocked access to the login page - [bot detection is enabled] ``` * Thread Starter [Wendihihihi](https://wordpress.org/support/users/wendihihihi/) * (@wendihihihi) * [8 years, 2 months ago](https://wordpress.org/support/topic/amazon-hammering-wp-rest-api/#post-10135234) * Yes, I didn’t have a good feeling about it. Thanks for the reply. * Thread Starter [Wendihihihi](https://wordpress.org/support/users/wendihihihi/) * (@wendihihihi) * [8 years, 2 months ago](https://wordpress.org/support/topic/amazon-hammering-wp-rest-api/#post-10157725) * Think you are right. They start using Google’s IP addresses as well. * 07/Apr/18 09:59:57 #3482182 CRITICAL 1 35.185.112.111 GET /index.php – Directory traversal – [GET:files = ../../../../wp-config.php] 07/Apr/18 09:59:59 #8840135 CRITICAL 3 35.185.112.111 GET /index.php – Local file inclusion – [GET:file_link = /etc/passwd] 07/Apr/18 10:00:01 #1602006 CRITICAL 3 35.185.112.111 GET /index. php – Local file inclusion – [GET:url = /etc/passwd] 07/Apr/18 10:00:07 #8718888 CRITICAL 3 35.185.112.111 GET /index.php – Local file inclusion – [GET:filepath = /etc/passwd] 07/Apr/18 10:00:08 #6950473 CRITICAL 1 35.185.112.111 GET /index. php – Directory traversal – [GET:fileName = ../../../../../../../../../../etc/ passwd] 07/Apr/18 10:00:09 #8196319 CRITICAL 1 35.185.112.111 GET /index.php – Directory traversal – [GET:filename = ../../../../../../../../../etc/passwd] 07/Apr/18 10:00:27 #6978542 CRITICAL 1369 35.185.112.111 POST /index.php – Remote command execution – [POST:execute = wp_insert_user] - This reply was modified 8 years, 2 months ago by [Wendihihihi](https://wordpress.org/support/users/wendihihihi/). Reason: typo Viewing 6 replies - 1 through 6 (of 6 total) The topic ‘Amazon hammering WP REST API’ is closed to new replies. * ![](https://ps.w.org/ninjafirewall/assets/icon-256x256.png?rev=976137) * [NinjaFirewall (WP Edition) - Advanced Security Plugin and Firewall](https://wordpress.org/plugins/ninjafirewall/) * [Frequently Asked Questions](https://wordpress.org/plugins/ninjafirewall/#faq) * [Support Threads](https://wordpress.org/support/plugin/ninjafirewall/) * [Active Topics](https://wordpress.org/support/plugin/ninjafirewall/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/ninjafirewall/unresolved/) * [Reviews](https://wordpress.org/support/plugin/ninjafirewall/reviews/) * 6 replies * 3 participants * Last reply from: [Wendihihihi](https://wordpress.org/support/users/wendihihihi/) * Last activity: [8 years, 2 months ago](https://wordpress.org/support/topic/amazon-hammering-wp-rest-api/#post-10157725) * Status: resolved