Is there a way to block traffic that constantly hits the 403 error?

  • Resolved mouschi

    (@mouschi)


    2 years, 2 months ago

    I’ve noticed a few of my sites take up a TON of compute cycles, and it looks like it is largely due to these bot/scammer people constantly calling up pages that aren’t even on the server. For example:

    templates/beez3/index.php
    wp-includes/css/wp-config.php
    wp-content/themes/config.bak.php

    etc. Live traffic shows these, and tons of other files that aren’t even on the server are trying to be called up, and as a result, are getting a 403 error, which, in turn, appears to be eating up massive amounts of compute cycles in my hosting package.

    What would be the best course of action here? The ip addresses are different many times, so I can’t just block one ip and be done with it – there are tons more that seem to come in. Any help GREATLY appreciated!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @mouschi, thanks for getting in touch.

    It’s a totally normal occurrence to see requests like this, as frustrating as that can be, as many would-be attackers will simply probe a site in an automated fashion. Usually, there’s a hit-and-hope approach to this rather than prior inside knowledge of your files, plugins or the platform you’re running the site on.

    Wordfence is an endpoint firewall, so can catch/restrict/block users using Brute Force or Rate Limiting settings, but at the point your site tries to host content to them using PHP. Restrictions therefore are possible, but it can’t stop the requests from initially hitting your site, even if it ends up blocking them.

    Generally we feel a manual blocking regime is unnecessary, but if you have access to a firewall or load balancer on your hosting plan which is able to block specific IPs manually, you could try blocking any recurrent ones you’re seeing here. This means the IP could be stopped before any site content is served and therefore before Wordfence is loaded also.

    Thanks,

    Peter.

    Thread Starter mouschi

    (@mouschi)

    Peter, thank you for your response! I’m not sure I really have access to blocking anything beyond what wordfence offers. What would you suggest I do if there are tons of offending ip addresses? I’ve seen in the past where one ip address will attempt various files every 2-3 minutes for hours, but then a different ip address from a different country will try something similar … then another ip address, and another. It would be great if I could just be able to block 1 ip address, but it doesn’t seem it will work. Tons of 403/503 errors pop up in the wordfence traffic section. what would you suggest I do in this instance specifically to keep down the compute cycles?

    Plugin Support wfpeter

    (@wfpeter)

    Hi @mouschi, no problem and I’m happy to help.

    Again, to actually cut down the server effort, the requests would have to be blocked before they hit your site content. You could speak with your host about whether there’s anything available on your hosting plan that can block/rate-limit IPs as soon as they hit the server.

    We do have some recommended Rate Limiting settings here that may help lighten the amount of full page loads, though: https://www.wordfence.com/wp-content/uploads/2021/09/ratelimitingpreferred.png

    Try increasing the block time to hours or even days if they’re retrying too soon. This could help.

    Thanks again,

    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Is there a way to block traffic that constantly hits the 403 error?’ is closed to new replies.