Big bass splash jackpot summer series results.Claim Your Free 999 Pesos Bonus Today

Resolved Delonn
(@delonnkoh)

6 years, 10 months ago

I encounter quite a number of this blocked attacks on some site and would like to know what exactly happened as I do not have any of the plugins in question installed.

Wordfence Blocks File Upload Attack

Viewing 6 replies - 1 through 6 (of 6 total)

shinerweb
(@shinerweb)

6 years, 10 months ago

Basically the ‘bad guys’ are hitting your site looking for those plugins in the hope that you have at least one of them installed.
They’ve probably determined your site is a WordPress site but that’s as much as they know. They then go through all the known vulnerabilities in the hope they find one.
Given that it’s likely the attacks are coming from botnet, if you see repeated attacks from the same IP, you can block that IP for a period. WordFence is protecting you from the known vulnerabilities already.

Unfortunately, you can’t stop these premptive type attacks, but by you can slow them down by removing as many signatures indicating that your site is a WordPress site, but in reality, they’ll eventually find you out.

It’s basically the equivalent of a cold call on the hope they find something…

wfalaa
(@wfalaa)

6 years, 10 months ago

Hi @delonnkoh
I can’t see the screenshot, it redirects to “404 not found” error page, but I can understand what do you mean, also I agree with shinerweb that these bots requests trying to randomly initiate attacks targeting known vulnerabilities using certain URLs/parameters.

You can check “Rate Limiting Rules” and “Custom Pattern Blocking” docs page to know more about how you can limit these requests in Wordfence.

Thanks.

Thread Starter Delonn
(@delonnkoh)

6 years, 10 months ago

Hi @wfalaa,

This screenshot should work. Reuploaded File

While I understand abit of it, what confuses me is the attack comes from IP
127.0.0.1 which is the site’s own server?

wfalaa
(@wfalaa)

6 years, 10 months ago

Hi,
Getting the localhost address reported in the Live Traffic feed indicates a misconfiguration in “How does Wordfence get IPs” option at (Wordfence > Dashboard > Global Options > General Wordfence Options). Please double check that you have this option configured correctly, you can go to (Wordfence > Tools > Diagnostics) then navigate to “IP Detection” section to make sure your IP is correctly detected there.

Let me know how it goes,
Thanks.

Thread Starter Delonn
(@delonnkoh)

6 years, 10 months ago

Hi @wfalaa,
Scan for misconfigured How does Wordfence get IPs is checked

Screenshot for “IP Detection”
Wordfence IP Detection

Screenshot for “How does Wordfence get IPs”
How does Wordfence get IPs

The IP detected is the same as mine(which is a Private Internet Access VPN).

Any advise? Thanks.

wfalaa
(@wfalaa)

6 years, 10 months ago

Looks like your server has a proxy configuration and it’s misconfigured somehow that reports the server loopback address (127.0.0.1) in REMOTE_ADDR header, I suggest getting in contact with your hosting provider to fix this issue.

Thanks.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Why is this happening and how to deal with it?’ is closed to new replies.