Visitor trying to see my Wordfence logs?

  • Resolved NilsOstergren

    (@nilsostergren)


    7 years, 3 months ago

    According to Wordfence: All recent hits for IP address 94.126.81.100 it hit the addresses below on my site within three seconds.

    Can anyone explain why it ended with hitting the wordfence_log-address?

    (latest hit first)
    example.com/?wordfence_logHuman=1&hid=FBBB30594DF166DB5ED5D4A7E5CB2F69&r=0.10330847639826835
    example.com/wp-json/oembed/1.0/embed?url=http%3A%2F%2Fexample.com%2F&
    example.com/wp-json/oembed/1.0/embed?url=http%3A%2F%2Fexample.com%2F
    example.com/comments/feed/
    example.com/wp-json/
    example.com/xmlrpc.php?rsd
    example.com/feed/
    example.com/xmlrpc.php
    example.com/

    Can it be that the visitor sences that I’m blocking IP:s visiting urls that contain xmlrpc and is trying to see in my logs what urls I’m blacklisting?

Viewing 5 replies - 1 through 5 (of 5 total)
  • mountainguy2

    (@mountainguy2)

    7 years, 3 months ago

    Not sure of answer, but with Wordfence being the best security plugin, and the amount of installs (millions), I’m certain that hundreds if not thousands of criminals are sitting in their dark, smoke filled rooms trying to figure out Wordfence and break it.

    Main thing here, is if you’re trying to figure out the criminal hacker mind, it’s a waste of time.

    MTN

    Thread Starter NilsOstergren

    (@nilsostergren)

    7 years, 3 months ago

    Would it be a bad idea to blacklist URLs that contain “wordfence_log”?

    Plugin Author WFMattR

    (@wfmattr)

    7 years, 3 months ago

    Hi,

    The “wordfence_logHuman” URL is a normal part of Wordfence. It is used to show which visits are humans and which are likely to be bots on the Live Traffic page, and should normally be visited only by real users. It loads in the background like .js and .css files, so they won’t see anything as it occurs.

    The other URLs hit between the first pageload and the logHuman call are normal parts of WordPress, but I don’t think they are normally loaded by every browser. The user might be using a browser extension that tries to pre-load all URLs on a page, but I’m not certain.

    -Matt R

    Thread Starter NilsOstergren

    (@nilsostergren)

    7 years, 3 months ago

    Ah, thanks. But why example.com/xmlrpc.php? I thought anyone hitting anything with xmlrpc (which I have disabled) had bad intentions.

    Plugin Author WFMattR

    (@wfmattr)

    7 years, 3 months ago

    WordPress includes a line like this in the “head” tag, so crawlers or browser extensions may pick it up:
    <link rel=”pingback” href=”http://domain.com/xmlrpc.php”&gt;

    A ‘GET’ request on xmlrpc.php is generally ok, and ‘POST’ requests might be ok, depending on the features your site uses. It does seem unusual, but a single request on that URL might not be malicious.

    -Matt R

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Visitor trying to see my Wordfence logs?’ is closed to new replies.