dun_edwards

I have this exact problem too… I’ll post on here if I find a solution…

I have the same issue on my local machine running PHP 7.1.1 and WP 4.7.2. Here is the stack trace:
WP_Scripts->localize()
wp-includes/functions.wp-scripts.php:192
wp_localize_script()
wp-content/plugins/popups/public/class-social-popup.php:482
SocialPopup->enqueue_social_shortcodes()
wp-content/plugins/popups/public/class-social-popup.php:439
SocialPopup->enqueue_scripts()
wp-includes/class-wp-hook.php:298
do_action(‘wp_enqueue_scripts’)
wp-includes/script-loader.php:1221
wp_enqueue_scripts()
wp-includes/class-wp-hook.php:298
do_action(‘wp_head’)
wp-includes/general-template.php:2574
wp_head()
wp-content/themes/lazycatstore/header.php:17
load_template(‘~/wp-content/themes/lazycatstore/header.php’)
wp-includes/template.php:643
locate_template()
wp-includes/general-template.php:45
get_header()
wp-content/themes/lazycatstore/home.php:15

I agree with vhagerty. Yeah, blocking IPs might work well for some DDOS attacks, but the PCs that are “attacking” your server are clients of your website running some buggy ad network code. If you ban their IPs then you are locking your users out of your own website! You need to block the request pattern as opposed to the IPs. The RewriteRule I’ve detailed above has so far worked perfectly for me and I still run Sovrn ads as one of my main ad providers.

How did you get on hesnctrl? I haven’t seen that issue where the sovrn ad overtakes the screen. What Browser/OS have you seen this on? This sounds like it could be the issue that just starts the random “attacks” on the Server…

CHeers, yes the full UserAgent we are getting is:
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.103 Safari/537.36

Hello vhagerty,

I think you are exactly right! Let me guess, you are with the sovrn / lijit advertising network? I found that the zone ID married up perfectly with the id of one of my ad zones. My fairly brutal fix was to add this:

RewriteRule ^(.*)undefined/fp(.*)$ - [R=403,NC,L]


to .htaccess.

Basically, we’ll never have a URL like that ever in a million years so I’m keen just to 403 it away.

Things I’ve taken away from this:
1) Ad networks will always be looking at new ways to f*** *** up
2) I will never laugh at my cat chasing her own tail again
3) WordPress is bad at statically handling 404s and I’ll need to work out a more server-efficient way to do this than through 404.php

Cheers for your help! What a brilliant call on your part!

Athough I love the genius of your solution, I couldn’t get it to work in my DEV environment. I created a nice little basic HTML page and everything. Upon reading more I’ve become aware that WP permalinks don’t really work so well with ErrorDocument 404 entries. APparenly 403s are fine but 404s don’t work. But I found another way. I’ve enabled the ‘Cache 404’ in the Page Cache of my W3 Total Cache plugin. I think this will work perfectly. I’m now sitting in front of the server logs with popcorn… But thanks you for your time!

‘during the attack’ – So this isn’t something that I can permanently do? I guess the effect of this is that I’m effectively removing WordPress’s 404 catch-all and I can’t do this permanently?

Ah, I get it. What you have outlined is exactly the problem. I thought that all these bots were attacking index.php and I couldn’t work out why they would all just repeatedly hit index.php. Now I realise that they are all 404 errors being redirected to index.php. Then, when I block the IP it becomes a 403 error and none of that WordPress + plugins stuff loads and, as you state, the CPU usage goes right back down.

How much of:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

do I need to remove? All of it?

BTW You guys are amazing. I’m going to write a 5 star review of a product that is indispensable to this oft-misunderstood aspect of running a WP website.

I highly recommend:
https://www.ads-software.com/plugins/ninjafirewall/

as the perfect solution for filtering out all of these things (and other types of DDOS attacks). I just installed it 1 day ago (it is free) and that is why I am on this forum. Because it blocked about 500 requests that look like this:
11/Feb/16 22:16:10 #8513631 critical 1417 46.226.45.69 GET /index.php – Suspicious bot – [GET:abdullkarem = 1]

but also lots of others like:
12/Feb/16 10:08:38 #6483221 medium 531 188.138.124.52 GET /index.php – Suspicious bots/scanners – [HTTP_USER_AGENT = ADmantX Platform Semantic Analyzer – ADform – ADmantX Inc. – https://www.admantx.com – [email protected]]
12/Feb/16 10:07:18 #3456836 medium 531 163.172.13.119 GET /index.php – Suspicious bots/scanners – [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; https://www.majestic12.co.uk/bot.php?+)]

Basically, everyone is trying to break your website every minute of every day…

OK, this is one of those times where a major DoS attack coincides with the same time as you upgrade a plugin. Ignore EVERYTHING I have written previously.

Agree 100%. Please let me know if you find one!