Support » Networking WordPress » Firewall blocked AS8075 MICROSOFT-CORP-MSN-AS-BLOCK

  • After following one of the guides on the web

    4. Block No-Referer Requests to Plugins

    Most WordPress sites get hacked through insecure plugins. The best approach, of course, is not to install them in the first place, but you can also create a firewall rule blocking direct access to /wp-content/plugins/.

    Legitimate requests which come through your website have something along the lines of “http://yoursite.com/page” as the HTTP referer and should be allowed. You may also want to allow known good bots (such as the Google crawler) just in case they try to index something—such as an image—inside your plugins folder.

    Create the following rule:

    Field: URI Path
    Operator: contains
    Value: /wp-content/plugins/

    [AND]

    Field: Referer
    Operator: does not contain
    Value: yoursite.com (replace with your real domain)

    [AND]

    Field: Known Bots
    Operator: equals
    Value: Off

    [Action: Block]

    =================================================================================
    =================================================================================

    I’m getting blocks in Cloudflare can anyone see if it’s legit and why is it connecting to the plugin…

    AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
    /wp-content/plugins/bdthemes-element-pack/assets/fonts/element-pack.woff
    40.77.139.111

    AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
    /wp-content/plugins/bdthemes-element-pack/assets/fonts/element-pack.ttf
    40.77.139.58

    AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
    /wp-content/plugins/elementor/assets/lib/swiper/swiper.min.js
    40.77.139.15

    AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
    /wp-content/plugins/elementor/assets/js/frontend-modules.min.js
    40.77.139.81

    AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
    /wp-content/plugins/woocommerce/assets/js/frontend/add-to-cart-variation.min.js
    40.77.139.86

    AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
    /wp-content/plugins/woocommerce/assets/js/frontend/add-to-cart.min.js
    40.77.139.36

    AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
    /wp-content/plugins/jetpack/_inc/build/photon/photon.min.js
    40.77.139.86

    • This topic was modified 1 week, 2 days ago by jedimax.
Viewing 1 replies (of 1 total)
  • Moderator bcworkz

    (@bcworkz)

    The Autonomous System and IPs really do belong to Microsoft. So the requests do appear to be legit. Why they are made I couldn’t say. It’s possible someone nefarious is using a Microsoft resource to do bad things without them knowing about it. But there’s nothing insecure about being able to access those resources. They’d be available to anyone visiting your site anyway.

    Hackers don’t generally request resources to see if it’s exploitable. They blindly attempt the exploit hoping it’ll work. Even though such attempts fail 99.9999% of the time, it’s still easier than first looking for exploitable resources.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.