Blacklist IP addresses

mheberger

Looking at my site's logs, I see plenty of suspicious activity, like a bot is trying to find vulnerabilities. Examples of requested files:
//wp-content/uploads/kaswara/fonts_icon/a57bze8931/.a57bze8931.php
//wp-content/plugins/apikey/apikey.php
//wp-content/plugins/apikey/a57bze8931.php
//wp-content/uploads/typehub/custom/a57bze8931/.a57bze8931.php

My question is: should I be concerned about this? I don't believe my site has ever been compromised in any way. But it seems like a waste of resources to deal with all these requests, hundreds a day it seems. Is there some way to automatically blacklist the IP addresses of these malicious bots?

sean

mheberger we block IPs that make common attacks automatically. By "common" I mean login URLs, XML-RPC URLs, and other known URLs that are frequently targeted.

We don't have anything in place that can block requests to random URLs like your example, but if you see the same IPs attacking repeatedly then feel free to contact support and we'll block them for you.

mheberger

Thanks Sean. This is maybe a naive question, but is it appropriate to just blacklist an IP address if there are obviously malicious bot activity coming from it? I mean, is there a chance you'd end up blocking an entire university or something, and inadvertently blocking a bunch of legitimate users?

Also wondering if it's even worth the trouble. Does it actually help or is it like playing whack-a-mole? 🙂

sean

mheberger

mheberger is it appropriate to just blacklist an IP address if there are obviously malicious bot activity coming from it?

Yes, blocking an attacking IP address is appropriate. If we didn't, then an attack on a single customer's site would disrupt other customers (on shared hosting anyway).

mheberger is there a chance you'd end up blocking an entire university or something, and inadvertently blocking a bunch of legitimate users?

Yes, there's always that chance. If it happens, it's easily reversed once the sysadmins on the other end deal with their problems.

mheberger Does it actually help or is it like playing whack-a-mole?

Yes and yes 🤷‍♂️

mheberger

OK, thanks Sean! It seems easy enough to write a little Python script to go through the access logs and look for suspicious activity.

mheberger

Just to follow up on this, it seemed like 99% of the malicious-looking requests were searching for some kind of Wordpress vulnerability. I installed one of the freemium Wordpress security plugins, and it includes a feature that blacklists bots and blocks them somehow.