WordPress.org

Forums

Wordfence Security
[resolved] Auto block by URL (11 posts)

  1. acekin
    Member
    Posted 11 months ago #

    I wonder if it would be possible, and of course beneficial, to add an option to automatically block IP numbers based on the URL they try to access. I get a lot of hits to get to:
    /mods/ckeditor/filemanager/connectors/uploadtest.html
    /wp-login.php?action=register
    /wp-login.php

    sometimes even in nonexistent folders like:
    /blogs/wp-login.php?action=register

    They are checking to see if a known vulnerability exists on the site. I believe these are known weak points, albeit a little old. But quite a nuisance to have a large number of hits with no results (that is a good thing!)

    I discovered purely by accident the other day there were over 1,200 hits from a particular IP number with a URL similar to the ones above and manually blocked it. Even after blocking it, it continued hitting so I blocked the IP at CloudFlare.com.

    I wish there was an option where we could indicate a particular URL, or several of them, that would trigger an automatic block of the IP number. It would eliminate unnecessary load on the sites and possibly reduce the risk on our sites.

    What says WordFence?

    Thanks,

    Cemal

    https://wordpress.org/plugins/wordfence/

  2. Wordfence
    Member
    Plugin Author

    Posted 11 months ago #

    Hi Cemal,

    We've had several requests for this so we'll be adding it in a future version.

    Regards,

    Mark.

  3. acekin
    Member
    Posted 11 months ago #

    That is very good to know. You and your team are most likely aware of these hacking URLs. We will welcome your suggestions in the Block by URL options as "Recommended block triggers".

    Thank you,

    Cemal

  4. acekin
    Member
    Posted 11 months ago #

    The block by URL does not seem to work on my site, I can see multiple accesses to the same URL which I specified as a trigger to block. Should the blocked IPs show in the Blocked IPs tab?

    I am going to push my luck and ask for a couple of enhancements to this feature:

    1. Instead of writing the full URL including the domain name and protocol, can we simply indicate the document they tried to access. I want to write "wp-login.php?action=register" without the domain or the folder before it. It will be simpler to enter and will be triggered with any folder or path in the full URL.
    2. Will it be too much to ask to have a text field where we enter the trigger documents one per line. Writing them comma separated in a narrow field is a bit cumbersome.

    Thanks,

    Cemal

  5. acekin
    Member
    Posted 11 months ago #

    I said that block by URL did not seem to be working on my site, but I think I detected a pattern. The IP number seems to be blocked after two attempts. I also see a pattern on the visits, they seem to wait in between attempts to bring up the same URL, sometimes by minutes, sometimes by hours. The IP number remains the same. I guess they are programming their bots too.

    Overall, I think the number of ill-hits seems to be lower.

    Thank you,

    Cemal

  6. Alergic
    Member
    Posted 11 months ago #

    hello !
    I added the urls to the field, but the bots still make requests for the same dead links.

    /myadmin/scripts/setup.php
    /pma/scripts/setup.php
    /phpMyAdmin/scripts/setup.php
    /zologize/axa.php
    /rom-0
    /user/soapCaller.bs

    @acekin, you highlighted everything, that's cool :)

  7. acekin
    Member
    Posted 11 months ago #

    @Alergic, you may consider using the fully qualified URL including the protocol http:// at the beginning. Although I originally reported that it was not working, then I realized that WordFence was blocking the intruder after the second attempt. There may be a technical reason for the first hit not being blocked, or it may be an oversight.

    Cemal

  8. Alergic
    Member
    Posted 11 months ago #

    Thanks Cemal, that's what I used, it's just I don't need foreign visitors on my site, they don't understand the language anyway.

    Site Admin could create a folder in 'public_html' and add a link to it somewhere to be readily available for crawlers. But also add a restriction in robots.txt. And finally add that link to Wordfence restriction rules. Crawler that doesn't obey the rules, will fall in this blackhole-trap.

    But the feature in Wordfence doesn't really work for the moment, bots still make dead links request :(
    Mark, I can't upgrade to premium, but I would easy donate a small amount if such a feature would work. Maybe adding a donate button would be a good ideea.

  9. acekin
    Member
    Posted 11 months ago #

    @Alergic, the URLs you wrote are not fully qualified URLs. They would look something like:
    http://www.alergic.com/myadmin/scripts/setup.php

    That said, I reduced my fully qualified URLs to just the folder/file and they appear to be "working". I used to get from one IP hundreds of page requests for the same URL, now the particular link I added gets at most two requests. I am assuming, which is not always a good thing, that Wordfence may consider the request "block-worthy" after the second hit. Not seeing the third hit may be due to delayed blocking. All this may not be true, as I said I am sticking my neck out and making an assumption.

    This feature is not, I believe, intended to replace robots.txt file. That will be the way to tell the search engine bots to tell them not to look there. I also think the "block" Wordfence may provide will be temporary, possibly lasting minutes to break the flow of the intruder. I do not see any entries in my blocked IPs list. This feature may be better called "Request Interruptus" rather than blocked IP.

    Cemal

  10. anorris1
    Member
    Posted 9 months ago #

    Saw this was listed as resolved so prolly if i make my own post

  11. proben
    Member
    Posted 9 months ago #

    Hello,

    I have the same problem.
    I'm trying to block all bots that use "action=register" request and also "/register/". So I added following URLs:
    /wp-login.php?action=register, http://mysite.net/wp-login.php?action=register,/register/

    but still I see that bots coming to those URLs and their IPs are not appearing in the IP blocking list.

    Thanks

Reply

You must log in to post.

About this Plugin

  • Wordfence Security
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic