How do you block malicious visitors?

  • For the past several months my site has been under a barrage of attacks and been broken in despite my installing the most popular security plugins and malware scanners. Examining the visitor and error logs, most of the attacks are from Russia and China.

    This morning I saw the following in the log appended to my domain name in the format https://example.com/?XDEBUG_SESSION_START=phpstorm

    Google results show that:

    Xdebug is a php extension that allows to debug php pages, remotely by using DGBp protocol.
- Code execution is possible through eval or property_set xdebug commands.
- Attacker is also able to read content of file using source xdebug command

    How does one block such attempts, short of blocking nearly every country from which such attacks are reported to originate–about everywhere on the map?

    • This topic was modified 11 months, 1 week ago by starapple.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator t-p

    (@t-p)

    Carefully follow this guide.

    When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.

    Thread Starter starapple

    (@starapple)

    I’ve read all those canned responses a dozen times. It seems those with malicious intent know WordPress so well, they get around all the posted infirmation. I had WordFence and other apps running when they wandered in last September.

    There has to be some way to block all non-Wordpress php and javascript files.

    Then there are all these plugins cluttering the admin screen with commercial messages and sending data back to the devs.

    • This reply was modified 11 months, 1 week ago by starapple.
    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    That particular “attack” is someone rattling your doorknobs. You should ask your host to make sure that the PHP XDEBUG extension is not enabled on your site’s “stack”.

    Thread Starter starapple

    (@starapple)

    Thanks @sterndata. I refer to what’s happening as an attack because either the same ip or another is “rattling [my] doorknob” hundreds of times an hour. I moved from shared to VPS hosting so I will do what you suggested, ie, make sure that extension isn’t enabled by default.

    The visitors from Russia seem to try executing various files or searching for their presence. The China visitors target specific image files and I am amazed they know of their presence (some more than 10 years-old) since the /uploads/ directory isn’t supposed to be scanable.

    • This reply was modified 11 months, 1 week ago by starapple.
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘How do you block malicious visitors?’ is closed to new replies.

Tags