Hi Nils, I’ve been having some trouble blocking stuff with double forward slashes, so I’m sitting here testing this stuff using my VPN in case I block myself. Your solution works fine for me, in fact I’m going to leave your solution in my Wordfence Options in case I get the same kind of attack you did. So, thanks!
I tested with this URL https://www.****.com/another-page/?//mysite.com/?wordfence_logHuman=1&hid=274B1A86D9D9E151D52864CE0E3A9AB2
Without Wordfence set to block I got a 404 error.
With your solution */?wordfence_logHuman=1&hid=* placed in the Wordfence options, blocked URLs, I got blocked and was given the Wordfence blocked message.
Which reminds me, FEATURE REQUEST: Please please Wordfence I beg you to give us an easy option of using our own customized “blocked” announcement page. Your default one simply has too much information for my taste, and could also be cleaner in terms of server load if it’s being fed to thousands of bots.
MTN
Hi and thanks for testing. Interesting that you got a 404. That does not happen on my sites. If it had the attacker would have been caught by my settings to block IPs getting too many 404s. Or maybe you didn’t change “another-page” an the second “mysite” in my example URL to an existing page and to your domain name?
Sorry, didn’t realize that your “another-page” was a space filler. In any case, your expression */?wordfence_logHuman=1&hid=* worked for me and resulted in me being blocked using the Wordfence Options block URL. I’ll test your full URL again, out of curiosity. Moment. MTN
Okay, yeah, I tested a URL with your ? query string, which if coming from random sources is perhaps a vulnerability probe or something like that. My test did go to the page I linked to, without the query string doing anything I could ascertain, but perhaps it’s there for a reason. In any case, again, using your expression in the “Immediately Block URLs” does block the attempt, so thanks for sharing it.
This might be an example of yet more junk that Wordfence should be blocking by default instead of us having to re-invent the wheel?
MTN
Hi and thanks again for testning.
Recommend a VPN service if you’re serious about configuring website security. Much easier to test stuff that might get you blocked, and you get a VPN you can use while on risky coffee shop and hotel Wifi. I use Private Internet Access at around $5 a month but there are hundreds of options, including stuff you can set up for free if you have the time.
It’s fun and educational pretending you’re a criminal and attacking your own website.
MTN
OK @mountainguy2. Thanks.
Now, Wordfence support:
Sorry, I should have used a more precise headline for this thread:
Will blocking this URL interfere with Wordfence?
The reason I asked it is that the attacker used an URL containing “wordfence”. He/she must have expected to find or execute something there. And didn’t get a 404.
That made me wonder if blocking */?wordfence_logHuman=1&hid=* will interfere with Wordfence functions.
Will it?
One more question:
Can blocking visits to */?wordfence_logHuman=1&hid=* lead to other unintended consequences?
I ask because when testing to block IPs visiting URLs containing */?wordfence_logHuman=1&hid=* I can see in Wordfence Live Traffic that a seemingly legit IP (not found here https://www.abuseipdb.com) has been blocked after only three hits within a minute.
He/she came from a Google search to http://mysite.com/tag/arbetsgivare, from there to http://mysite.com/?sccss=1&ver=6e3013c445edd54619336940f8dbf6f2 (wonder why) and then to http://mysite.com/?wordfence_logHuman=1&hid=C734D9819017806032CD78A74038B2B5&r=0.6443747894372791
Hi NilsOstergren and MTN,
These URLs with wordfence_logHuman are used to help us in detecting human/bot visits, and they shouldn’t be blocked and aren’t malicious by any way.
The reason why it shows up in “Live Traffic” log maybe because of a plugin that altered the URLs structure to such relative ones.
You could block this IP just because you mentioned that “It’s known for attempting to hack WP-sites”, not for any other reason.
Thanks.
Thanks @wfalaa for clearing this up!
