• Resolved Bob

    (@bobroos)


    Hi,

    I have recently started using wordpress for my sites and now I’m trying out WordFence for my security.

    With one of my sites I have the problem that people, chinese websites, are linking directly to images on my old site. On the new WordPress site these images are in a different location, but these sites are now causing major slowdowns, timeouts and sometimes “process slot” errors.

    So my intent was to block these sites by hostname (Custom pattern blocking rule). I added the rule for one of these sites on the Nov.17 and the logs showed that on Nov. 18 (today :)) that hostname was still in the log with errors and from the looks of the log caused (At least) timeouts.

    My question, how does the advanced pattern blocking with Wordfence work? Am I reading the logs wrong?

    My expectation was that a next time this host would access my site Wordfence would block it and I would not see it back in the logs (perhaps once, each time the host would try, but not for every call that host would make).

    Any insight is much appreciated.
    Bob

Viewing 6 replies - 1 through 6 (of 6 total)
  • Hi @bobroos,

    Can you show me what rules you have set? Also show me the logs of the requests that are not being blocked.

    Thanks!

    Dave

    Thread Starter Bob

    (@bobroos)

    Hi Dave @wfdave,
    Thank you for answering, these are a few of the sites blocked with WordFence

    https://drive.google.com/open?id=1gStIeD-z2GXM_2xnizai7EXoLfeekW_t

    And here’s a part of the error log where one of these sites is getting a timeout

    https://drive.google.com/open?id=1S9qVmkBLcB70PpAiI55XfJuGEjiFjvW0

    But! On reading it a second time, my initial question might not be valid. I think I misread one of the sites in my log and in the Wordfence block list (stupid hostnames!). They are not the same!

    That found out now… are the settings I made correct? 🙂

    Thank you!
    Bob

    Looking at the logs, I would also add this rule:

    Blocking all refers from *yitaizh.xyz*

    So it would look like this: https://i.imgur.com/rWfrjKX.png

    Alternatively, what you can do is actually redirect old URLs to the new URLs.

    What I mean is /images/portfolio/large/*.* -> /sitewp/wp-content/gallery/portfolio/*.*

    Using .htaccess, use this rule to redirect traffic from the old URL to the new one.

    RedirectMatch 301 /images/portfolio/large/(.*) /sitewp/wp-content/gallery/portfolio//$1

    Thread Starter Bob

    (@bobroos)

    Hi Dave,
    Thank you for your answer, I will be adding the refers as well for the “Bad hosts”.

    Some of these redirects (pointing these “bad hosts” to the correct image) have been in place on the old (non-wordpress) version of the site but right now the images are scattered in different galleries (gallery/portfolio, gallery/series, gallery/<anytitle>), the .htaccess would become huge (I’m a “picture site”), so I decided to block these sites (their “illegally” hotlinking as it is anyway)

    Today one of the offending sites was back again. The site was already in WordFence blocking

    https://drive.google.com/open?id=1AoFZNvfPHncHiWXC3mEpC3X86rOhrONM

    and this is the log

    https://drive.google.com/open?id=1rnTGp486wxTSE36DEmmKuttDODoxRIJi

    This is before adding the referer block (will do so after this).

    This is back to my original question I think. How do I know that WordFence blocked this site? Judging from the log I would say it was not blocked?

    Thank you again!
    Bob

    Hiya Bob,

    You want to use the Referrer field, not the Hostname:

    View post on imgur.com

    Let me know if that works!

    Dave

    Thread Starter Bob

    (@bobroos)

    Hey Dave,

    Based on the referrer I get feedback as expected

    https://drive.google.com/open?id=1CImCpbm0uQciY_VtqDXqKGDJk2lUoqez

    WordFence detects it.

    Don’t see this site in the error log (didn’t check the access log, too much scrolling :-))

    Thank you,
    Bob

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Custom pattern blocking, how to know it’s working?’ is closed to new replies.