Block "POST //wp-login.php HTTP/1.0"?

  • Resolved pictureitsolved

    (@pictureitsolved)


    9 years, 5 months ago

    My client received a message from her hosting service saying the site was using excessive resources (CPU) for the shared hosting environment.

    Stats for 19 Oct 2015:
    ———————————
    CPU Usage – %21.86 <—–High
    MEM Usage – %0.12
    Number of MySQL procs (average) – 0.51
    Top Process %CPU 91.00 [php]
    Top Process %CPU 90.00 [php]
    Top Process %CPU 80.00 /usr/bin/php /home/ourname/public_html/index.php

    They provided some lines from a log file, which showed messages like this, from the same IP, about once per second. (I’ve replaced our domain name.) They’ve blocked the IP.

    /etc/httpd/domlogs/ourdomain.com:151.80.194.68 – – [19/Oct/2015:23:05:50 -0700] “POST //wp-login.php HTTP/1.0” 404 23561 “-” “-“
    /etc/httpd/domlogs/ourdomain.com:151.80.194.68 – – [19/Oct/2015:23:05:51 -0700] “POST //wp-login.php HTTP/1.0” 404 27806 “-” “-“

    The returned size seems to alternate between 23561 and 27806.

    They suggested using the Limit Login Attempts plugin. I’ve been using WordFence for over a year, and I would think WordFence is just as good if not better, but wonder if I need to change any settings.

    Also, since the path for the POST request is //wp-login.php, would it be blocked by ANY WordPress plugin?

    Is WordFence able to detect and block these attacks? I’m wondering whether I should set
    “Block IP’s who send POST requests with blank User-Agent and Referer”
    or “Scan files outside your WordPress installation”
    or any of the Firewall Rules (currently using the defaults) or Other Options.

    I have Wordfence set to lock out for an hour, after 5 failed login attempts within 5 minutes. I immediately block login attempts using admin and several other obvious usernames.

    In case it’s relevant, WordPress is not installed at the root level, but rather in a subdirectory, wp.

    I would appreciate any suggestions you can offer. If we’d need Wordfence Premium to do it, let me know.

    Thank you,
    Karen

    https://www.ads-software.com/plugins/wordfence/

Viewing 4 replies - 1 through 4 (of 4 total)

  • I’m not an expert here, but it looks like since your WP installation is not at the root level, that the BOT is targeting the wp-login URL that does not exist therefor it keeps receiving 404s and. And probably, the 404 is not dissuading the bot from further attacks every second (because of the poor code) so it likely is causing high server load.

    I have WF set to block humans or bots that receive 15 or more 404s within a minute. Hopefully then, the bot will receive 503s which I think are less load on the server. But if your host has blocked that IP, then that should reduce the load to a minimum.

    Karen

    Another suggestion, since you mentioned ending on a shared server, to control CPU usage is to try disabling Live Traffic.

    Thanks,
    Brian

    Thread Starter pictureitsolved

    (@pictureitsolved)

    Thank you both for your suggestions. I’ve made some of these changes and hope they’ll be effective against future attacks.

    @pictureitsolved

    Good luck.
    Re-reading my post…I wanted to clarify…”poor code” was pertaining to the BOT code not WF.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Block "POST //wp-login.php HTTP/1.0"?’ is closed to new replies.