What does the content of this mean?

  • Resolved kristinubute

    (@kristinubute)


    1 year, 3 months ago

    Hi

    When viewing the LIVE VIEW of activity in your plugin I see someone from Saudi Arabia from certain IP

    domainname.com.au/wp-json/wp/v2/users/1

    Obviously I’ve replaced the word domainname.com.au away from the original.

    Anway the contents of that is this:

    {“code”:”rest_user_invalid_id”,”message”:”Invalid user ID.”,”data”:{“status”:404}}

    Does anyone know what this is?

    When I go into the Root directory of WordPress I cannot see the wp-json file in the root directory?

    So maybe it is a remnant of a dodgy OLD directory from previously?

    I’ve blocked that IP address anyway as well.

    It says its a BOT but I don’t believe that.

    OR it’s a dodgy BOT to do malicious intent possibly? But as that is NOT in the root directory

    Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

    Any feedback would be great.

    Thanks

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @kristinubute, have you seen the replies to your other questions, notably the one about interpreting Live Traffic?: https://www.ads-software.com/support/topic/viewing-live-view-and-understanding-the-breakdown/

    Wordfence is doing the hard work keeping an eye on access attempts to your site so you don’t have to take manual action unless you’re under heavy attack, affecting site performance. Bot/human detection is getting ever harder and we won’t get it right 100% of the time, but Wordfence still tries based on how the visitor was behaving and interacting with your site before making the request. It does look the mostly likely source was a bot here though.

    The REST API that comes with all WordPress installs has an endpoint beginning with /wp-json/wp/v2/… and then things like “users” (as in this case) can be queried. It’s primarily used for plugins and other applications to interact with your site. The URL doesn’t directly relate to the physical file system in this case. The JSON response from your site to the request is the {"code":"rest_user_invalid_id"... that you see. You can visit the path in your browser and get the same result displayed back to you.

    This request just seems like one of the hit-and-hope methods I mentioned in the previous thread hoping that /users/1 might expose your administrative username to them, as one example I can think of.

    You can find out about the WordPress REST API here: https://developer.www.ads-software.com/rest-api/

    You can read more about Live Traffic here: https://www.wordfence.com/help/tools/live-traffic/

    Thanks again,
    Peter.

    Thread Starter kristinubute

    (@kristinubute)

    Thank you for your reply.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘What does the content of this mean?’ is closed to new replies.