Interpreting access logs

  • Ambyomoron

    (@josiah-s-carberry)


    10 years, 2 months ago

    I have been regularly examining the web access log for my wordpress site. While this has been instructive, I find that there are many types of requests that generate 4xx errors that I do not understand. I am NOT asking for help in interpreting status codes. I AM seeking resources to better understand the structure of the requests and, especially, hints on how to detect malformed requests that are specific to wordpress and may be indications of hacking. Any suggestions?

Viewing 3 replies - 1 through 3 (of 3 total)

  • Anything you see that is not a link to a page or whatever at your site is likely either unnecessary or malicious, imo…and then, of course, it seems obvious to me that anything including some kind of login, password-reset, admin or other attempt embedded either within or as part of an otherwise-valid link to my site is malicious. As long as those are returning 404s and not getting through to anything, that is good even though they do still cause unwanted load on WordPress and your server. As to indications of hacking, there are various plugins that can scan all your site’s files and send notices whenever any file has been changed.

    Thread Starter Ambyomoron

    (@josiah-s-carberry)

    Thanks for the tip about plugins that look for changes, presumably unauthorized. I was hoping to be a little more proactive than that. If someone is monkeying around, making requests they have no business making, I am thinking about blocking access via .htaccess. I know there are limits to that approach, though. By the way, if an ip address is blocked in .htaccess, does the access attempt even appear in the web access log? If so, with what error code?

    Yes, blocking with .htaccess can become quite cumbersome since there is always a way around that and having a huge .htaccess file can slow everything and everyone down.

    if an ip address is blocked in .htaccess, does the access attempt even appear in the web access log? If so, with what error code?

    I would assume a record of the hit exists somewhere, even if only at the server, but I do not think any error codes are recorded there. I use the top-shelf BulletProof Security plugin for all .htaccess security, but I have never looked at its logs to see what it might record along that line. I also happen to use Wordfence Security for watching for 404s and for throttling over-aggressive traffic, and then it also has options for blocking IPs dynamically without writing to .htaccess. And now beyond all of that, or ahead of it, actually, my own most-recent efforts to deal with malicious traffic are keeping certain redirected hits from ever showing up there at all. https://www.nnysandbox.net/b6_development/sitemap/end-of-the-line/ To do that, I am adding my own redirects in BulletProof’s Custom Code box for Brute-Force Attacks after building a list of them by watching 404s.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Interpreting access logs’ is closed to new replies.