Immediately block IP's that access these URLs – Wildcards and blocked IPs

Hi

That’s not really what that options is for. See here for proper usage:
https://docs.wordfence.com/en/Wordfence_options#Immediately_block_the_IP_of_users_who_try_to_sign_in_as_these_usernames

Incidentally, what hack was it?

tim

Thanks for the reply Tim. I’m not using the username block, I’m using the URL block.

I’m not sure what the hack is… the pages seem to be general spam and are linked to from comments on other people’s WordPress installs. Unfortunately the folders keeps coming back and I haven’t been able to find what keeps recreating them (nor can wordfence). I’m scouring the database for a source now.

Does the pro version of your product have any mechanism to detect hacks that aren’t present in the free version?

OOps. I linked to the wrong part of the document. I meant this one:

https://docs.wordfence.com/en/Wordfence_options#Immediately_block_IP.27s_that_access_these_URLs

I wonder, since the pages don’t exist, if you could block by adding /wp-content/cache/tmp/nl-ugg

tim

I’ve tried blocking that… but again, I’m not sure how to see who has been blocked by this option.

I’m not sure that it would show up on the live traffic view, which is kind of specific. I’m sure you could probably get it out of the access logs with a grep command (grep nl-ugg acccess_log | wc -l)

tim

Yes, I can see people hitting the URLs in the access_log. But I don’t see any place that says x.x.x.x was blocked for hitting that url.

They should be showing a 503 there if I am not mistaken.

tim

Good morning,
I’m interested in creating an auto-block based on URL pattern. I’m noticing a lot of hits for things like
/wp-content/plugins/revslider/temp/update_extract/revslider/info.php
and
/wp-content/uploads/wpallimport/uploads/1a33653448b37ddfc920d427f4971c19/info.php

These are coming up under “Pages not Found” but it’s a daily occurrence and rather than waste precious time blocking each one individually, I’m keen on setting an auto-block rule.

My question is, will setting a block rule for just /wp-content/plugins/ (for example) block legitimate traffic that’s trying to load a page which uses a plugin? Thanks

What about using a redirection to point users to a fictitious url setup in wordfence.

redirect /.+\/info.php https://www.example.com/honey/pot/url

phoenix_maximus: Currently, you can use the Wordfence option “Immediately block IP’s that access these URLs” to block IPs if you enter the whole URL that is being used. We also have a feature request open, to possibly implement in a future version of Wordfence, to allow wildcards in this field.

Some plugins do have scripts or pages that load directly from the plugin directory, so blocking that overall would be likely to cause some problems (once the wildcard feature is available).

jashaw: Currently a redirect like this isn’t possible in Wordfence, but visitors (bots) are blocked after trying a bad URL by this method, which stops them from trying additional URLs which might really be related to an installed plugin. If Falcon caching is enabled, these visits are blocked by IP in .htaccess for faster and more thorough protection.

-Matt R
FB872

WFMattR, you have answered my question perfectly. Thank you.

Great, thanks for the follow-up!

-Matt R