Support » Plugin: All In One WP Security & Firewall » Specific IP addresses not being blocked in Blacklist Manager

  • Resolved CombustionCreative

    (@combustioncreative)


    I can see through Google Analytics several sites that are attacking my site. I’ve pinged those URLS (there’s no information for them under WhoIs) to discover their IP addresses. I’ve entered those IP addresses under the Blacklist Manager in all-in-one. Most of those sites are now blocked, but there are two that are still accessing my site. Can you explain to me what Blacklist Manager is doing? And secondly is there some way to block these malicious IP addresses?
    Thanks for your help with this.

    https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

Viewing 15 replies - 1 through 15 (of 17 total)
  • Thread Starter CombustionCreative

    (@combustioncreative)

    And just to clarify, the sites that have been successfully blocked are bouncing. The two that are not being blocked are NOT bouncing.
    And none of the malicious IP addresses are getting caught in the filters set up within all-in-one.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi CombustionCreative can you share with us those IP addresses that are not getting blocked by the plugin.

    Thank you

    Thread Starter CombustionCreative

    (@combustioncreative)

    Absolutely,

    104.254.244.128
    free-social-buttons.com
    This user still getting in on 5-20-15

    82.80.221.158
    http://www.Get-Free-Traffic-Now.com
    This user still getting in on 5-20-15

    Thanks

    Plugin Author wpsolutions

    (@wpsolutions)

    Can you explain to me what Blacklist Manager is doing?

    The blacklist manager blocks ip addresses using directives in the .htaccess file.
    Doublecheck that your .htaccess file actually contains the IP address(es) you want to block.

    Thread Starter CombustionCreative

    (@combustioncreative)

    OK,
    This is from the .htaccess file:

    #AIOWPS_IP_BLACKLIST_START
    Order allow,deny
    Allow from all
    Deny from 104.254.244.128
    Deny from 217.23.7.144
    Deny from 78.110.60.230
    Deny from 82.80.221.158
    #AIOWPS_IP_BLACKLIST_END

    Thread Starter CombustionCreative

    (@combustioncreative)

    This morning the two IPs that were getting in had no attempts, but 217.23.7.144 got to the site without a bounce.

    watching this with anticipation – I have 3 sites that are being spammed by free-social-buttons.com / free-share-buttons.com.

    Plugin Author wpsolutions

    (@wpsolutions)

    Which host provider are you with?
    I recommend that you ask them why the above .htaccess directives are not blocking all of the expected IP addresses on your server.

    Thread Starter CombustionCreative

    (@combustioncreative)

    OK, I believe I have found some relevant information on this problem. I found it on this link:
    https://wordpress.org/support/topic/a-non-existent-page-is-showing-up-on-my-analytics/page/4?replies=126
    Go to line 102
    Briefly, these addresses can’t be stopped by blocking the IP address, because they’re not actually coming to your site. The aim of this type of attack is to trick Google Analytics.
    Here is the explanation which I found helpful from the post cited above, courtesy of Samuel Wood (Otto) WordPress.org tech guy:

    This isn’t a WordPress specific thing. This isn’t even specific to individual WordPress plugins. Like you said, your “personal website is CodeIgniter” and you can see it there.

    Here’s a quick primer on how Google Analytics works.

    So, you get setup on GA and get a code from them. The code looks like UA-number-1 or some such thing. That number is your “account number” on GA. Now, this code and a bit of javascript go onto your webpage. Now, somebody visits your page, and their browser runs that javascript code.

    That javascript code is what “records” their visit. It makes their browser talk to Google Analytics. Specifically, it makes certain types of HTTP requests that Google records information about, and then GA displays summaries of that information to you.

    Pretty basic, right? Still with me? Okay, now, if all it is is this Javascript sending the “visit” to them, then anybody can fake that. Anybody at all. All I have to do to make your GA show false information is to send my fake information directly to GA.

    I don’t need to visit your site at all. I don’t need to run javascript at all. I just need to reproduce those HTTP requests, which are public and so anybody can see them and how they work. They’re even fairly well documented, publicly, by Google themselves.

    So, now, let’s say I’m a spammer jerk. I want to get people to see my spammy site. So, what do I do? I write a small bit of code to send thousands upon thousands of these fake requests to GA, and I simply cycle through all the UA numbers, in order, at random, whatever. I send a fake visit, with a fake referrer, and my spammy domain name. And guess what? It shows up in your Google Analytics screens.

    You see this spam like any other normal visit. Because as far as GA is concerned, it was a normal visit. All they’re recording are those HTTP requests, which normally come from the GA javascript code. But a request is a request, and making a fake one is very, very easy.

    That is what is going on. All I need is your UA number and with only a minor bit of effort I can fake a visit to your site without ever actually connecting to your site at all. That fake visit can have any domain name and any referrer in it that I choose.

    This is an attack on Google Analytics, to promote whatever site is showing up. You cannot block it on your server, because your server is not involved at all.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    @combustioncreative that makes perfect sense what Samuel Wood (Otto) wrote above. In other words any attempt to block those IP address in your website using this plugin will not work. I guess what you could do is as Google if there is a way that you can alter this annoying issue and maybe they could track down the culprit?

    Thread Starter CombustionCreative

    (@combustioncreative)

    I would imagine Google is working on this.
    Sounds like the recommended solution is to simply filter out that type of information when you go in to Google Analytics.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Yes that could do it, have you started to test your theory? Since this issue is not related to this plugin can you mark it as resolved.

    Thank you

    I had 2 issues going on, this one along with some contact form spam. I was using a different contact form and have now changed back to my tried and trusty contact form plugin, so that’s taken care of.

    I added some filters a couple of days ago and all this nonsense is no longer appearing on my sites, no referrals showing in my reports from either free-social-buttons.com or free-share-buttons.com so it looks like this is being taken care of too.

    If anyone else is looking for some easy instructions about GA filters I found some here – https://megalytic.com/blog/how-to-filter-out-fake-referrals-and-other-google-analytics-spam.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    @ann98 thank you for sharing that great link. It is very informative and I hope that very soon Google will handle this issue for us.

    Regards

    Thread Starter CombustionCreative

    (@combustioncreative)

    Here’s more information on how to set up filters within Google Analytics to block this information:
    http://www.ohow.co/stop-the-spam-from-guardlink-org-referral-in-ga/

    Something interesting in this is the idea that changing your Analytics ID to a higher number can stop a lot of this as well:
    That information is in this link about creating a Valid Hostname filter: http://www.ohow.co/what-is-referrer-spam-how-stop-it-guide/#Valid_Hostname_Filter_Multiple

    Changing your tracking ID

    This method doesn’t exactly block Referrer Spam, but it makes your Google Analytics less visible to them. Is a good option for fresh Websites.

    Since this kind of Spam usually targets UA-XXXXXXX-1 ID’s, if you change your Google Analytics tracking ID for one that doesn’t end in 1 like UA-XXXXXXX-12 most of the Referrer won’t reach you.

    Although there are some cases where Referrer Spam hits higher IDs, you will be still less susceptible to attacks.

    I tested this solution with good results for Ghost Referral Spam. Here is a Screenshot of a test Inactive Google Analytics account with 3 trackings ID. As you can see the only one that got hit is UA-XXXXXXXX-1, the other 2 as expected, are untouched.

Viewing 15 replies - 1 through 15 (of 17 total)
  • The topic ‘Specific IP addresses not being blocked in Blacklist Manager’ is closed to new replies.