Blocking bots from some specific hosts

xprt007
(@xprt007)

5 years, 3 months ago
Hi there

I with a combination of security plugins, including Wordfence (free version) & a couple of others largely managed to prevent spammers and automated logins from getting on to the site.
Because I have frequent login attempts, I have also set Wordfence to block every non-existent username for a day and once in a while, after looking at the list of blocked users, manually permanently block really non-existent users.

It’s quite annoying, though all the same to see these attempts.
Here is a typical example reported by Wordfence:

User IP: 23.94.243.22
User hostname: 23-94-243-22-host.colocrossing.com
User location: Los Angeles, United States

or

User IP: 192.3.241.254
User hostname: 192-3-241-254-host.colocrossing.com
User location: Los Angeles, United States

Although not all IPs show the User hostname as being related to “host.colocrossing.com” and the characters/numbers before “…host.colocrossing.com” are always changing, this name “host.colocrossing.com” appears quite frequently.

Is it possible to block ANYTHING, i.e. whatever hostname is related to this “host.colocrossing.com” by way of .htaccess from accessing the site at all? I assume the host is exclusively associated with these automated bots which are up to no good.

If so, I would appreciate the exact code to insert in .htaccess.

Thank you in advance.
- This topic was modified 5 years, 3 months ago by xprt007.
- This topic was modified 5 years, 3 months ago by xprt007.
- This topic was modified 5 years, 3 months ago by xprt007.

Viewing 12 replies - 1 through 12 (of 12 total)

Tony Zeoli
(@tonyzeoli)

5 years, 3 months ago
Xprt007,

First, this is not a WordPress issue, it’s a security issue that should be taken up with WordFence or a WordPress Security expert.

That being said, I will say this: most Security plugins have a Firewall system, where you can block hostnames or IP addresses. Most Firewall systems are a paid upgrade for the plugin you prefer. So, I would check with WordFence and see if they have an upgrade for a Firewall, where you can blacklist these bots.

You could possibly change your DNS manager to Cloudflare and use their Firewall tool to blacklist IPs or domains.

See: https://support.cloudflare.com/hc/en-us/articles/200171416-How-do-I-block-bots-and-crawlers-

The Cloudflare network generally filters out bad bot traffic. Between Cloudflare, Jetpack, and WordFence, you should be pretty heavily armed to reduce the instance of bots trying to reach your site. But if you really need a firewall, then a paid upgrade is in order.

You could also follow this tutorial to block in your .htaccess file:

http://www.htaccess-guide.com/deny-visitors-by-ip-address/

Here is a generator to add IP addresses to generate the resulting output that you can use in .htaccess:

http://www.htaccesstools.com/block-ips/

Here is another tutorial on blocking IP addresses or hosts in .htaccess:

https://www.wpwhitesecurity.com/block-ip-address-htaccess-wordpress/
- This reply was modified 5 years, 3 months ago by Tony Zeoli. Reason: add additional links
Liew Cheon Fong
(@lcf)

5 years, 3 months ago
You can block IP ranges using .htaccess file:
```
# Block host.colocrssing.com
Order Allow,Deny
Deny from 23.94.243.* 192.3.241.*
Allow from all
```
wp-muhkiainen
(@toppahattu)

5 years, 3 months ago

One easy way to block unwanted IPs is to use plugin like IP Ban

Even the plugin has not updated since 2017, it works with WP 5.0.2

To convert URL to IP, you can use dig command. An example:
dig someaddress.com

https://www.rootusers.com/12-dig-command-examples-to-query-dns-in-linux/

Thread Starter xprt007
(@xprt007)

5 years, 3 months ago

Hi there

Thank you all for your suggestions. Here is what I have to say …

Because of limited resources and the small site in question, the paid version of Wordfence is beyond me currently, though I was considering asking them before posting here.

I actually used Cloudflare for a couple of years until about a year ago when I was forced to change the host, because of a sudden astronomical hosting price increase and have long since taken the site to another host where this shares an account as an add-on domain. The problem is currently, the domain is still registered & hosted at this previous host. As you know, you have to use Cloudflare’s name servers, which is not possible under the current arrangement, which I am more or less forced to use for a while to come. That is what forced me to stop using Cloudflare.

The problem with using an IP-blocking based solution is you need to have a couple of known IP addresses or specific IP-block to deal with.

The 2 IP addresses given above are a SMALL example of thousands they keep using & which keep changing. At least that’s my observation in the Wordfence reports & alerts.

As mentioned above, every few days, I permanently block whichever IPs Wordfence reports as having been of blocked users and I’m sure there are literally thousands I have blocked over the past year or 2, yet they keep trying to log in. Sometimes there’s no activity for a few days, other times you have a good number a day, once in a while Wordfence reports a concerted, sustained attack of attempted logins over several hours.

The IPs are mostly from different countries & those with the host colocrossing are just an example, though it’s what has been conspicuous. Sometimes a non-existent user I will call 08u123bastard will try to log in with an IP from France and if blocked by Wordfence, the same username will immediately try again or another time or day with A Brazilian or Polish IP address, etc, etc.

With this, I think I cannot do much, I guess, but I though I could reduce at least the attempts containing in HOST NAME “host.colocrossing.com” whatever is appended before this and whichever of the hundreds or thousands of always changing IP addresses come with each “host.colocrossing.com” based attempt.

So is it possible to have some .htaccess code that blocks ANY visitot/bot identified as coming from the host name host.colocrossing.com, which of the probably thousands of character combinations a prepended to host.colocrossing.com or whichever IP address, in whichever country is involved?

That’s my question … or may be there’s another solution apart from the paid wordfence one …?

Thank you for your help. 😉

wp-muhkiainen
(@toppahattu)

5 years, 3 months ago

Block colocrossing.com (23.95.99.167).
Thread Starter xprt007
(@xprt007)

5 years, 3 months ago
Hi

So do mean to say in .htaccess:
```
order allow,deny
deny from colocrossing.com
allow from all
```
or
```
order allow,deny
deny from 23.95.99.167
allow from all
```
will block ALL bots like:

User IP: 198.23.197.50
User hostname: 198-23-197-50-host.colocrossing.com
User location: Buffalo, United States

User IP: 192.227.171.194
User hostname: 192-227-171-194-host.colocrossing.com
User location: Buffalo, United States

User IP: 192.210.190.254
User hostname: 192-210-190-254-host.colocrossing.com
User location: Chicago, United States

User IP: 107.175.247.78
User hostname: 107-175-247-78-host.colocrossing.com
User location: Holland, United States

….

….

etc, etc and probably hundreds or thousands of variations of colocrossing related vermin?

If so, although many of the locked out visiting vermin has other IPs/Host names, too many to note down or notice, even just preventing some of these colocrossing ones brings some satisfaction.

Regards
wp-muhkiainen
(@toppahattu)

5 years, 3 months ago
```
order allow,deny
deny from 23.95.99.*
allow from all
```
Thread Starter xprt007
(@xprt007)

5 years, 3 months ago

OK thank you very much.
I will use it right away and report back after a while after observing Wordfence alerts.

Best regards
Thread Starter xprt007
(@xprt007)

5 years, 3 months ago
Hi
So this morning (local time) I noticed Wordfence has sent me these alerts in the last 15 hours in spite of this code I added right that day:

A user with IP addr 192.227.216.151 has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username

laurencew34167′ to try to sign in.
The duration of the lockout is 1 day.
User IP: 192.227.216.151
User hostname: 192-227-216-151-host.colocrossing.com
User location: Buffalo, United States

A user with IP addr 23.94.226.126 has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username ‘laurencew34167’ to try to sign in.
The duration of the lockout is 1 day.
User IP: 23.94.226.126
User hostname: 23-94-226-126-host.colocrossing.com
User location: Los Angeles, United States

What more can be done to refine this?

Regards
- This reply was modified 5 years, 3 months ago by xprt007.
- This reply was modified 5 years, 3 months ago by xprt007.
Thread Starter xprt007
(@xprt007)

5 years, 3 months ago

As you can also note, blocking IPs alone does not help much, because this bastard immediately tried logging in from another IP address. I have been ultimately blocking ALL such IPs manually permanently, but they try with new ones.

Regards
Tony Zeoli
(@tonyzeoli)

5 years, 3 months ago
Just curious to know if running JetPack, which has a bot filter, helps at all?
- This reply was modified 5 years, 3 months ago by Tony Zeoli. Reason: Fix typo
Thread Starter xprt007
(@xprt007)

5 years, 3 months ago

Hi

I have actually used Jetpack now and then for long periods, but because of an unconnected issue or 2, I had it deactivated a while back. I do not remember Wordfence not reporting the same type type of intrusions [attempted logins with non-existent passwords especially and password recovery attempts] for long, but I will re-activate now and observe if it makes a difference in general and report back after a while.

Thank you & regards