How do i stop someone using a bot on my site?

[premiu38]

I'm just running a simple wordpress blog but today i noticed thousands of hits out of nowhere (like 80k). I tried banning the ip in cpanel but they changed it and did it again

inside the wp-statistics plugin its an agent called "WPScan"

Can i block that from accessing my site? It keeps making me hit the resource limit and lagging the site.

 

[essellar]

Yes, you can block specified user-agents (HTTP_USER_AGENT) with an .htaccess rewrite rule to return a 403 error status. There are several prepared sets available on the web that handle a variety of bots; just search for "htaccess user agent" (without the quotes, of course). Adding a new bot to an existing list is easy if the need should arise.

 

[AngusThermopyle]

Also, 'WPScan' is a 'black box WordPress vulnerability scanner'

Nice time to make sure your WordPress installation and all your plugins are up to date and secure.

 

[premiu38]

i ended up adding

BrowserMatchNoCase WPScan bad_bot
Order Deny,Allow
Deny from env=bad_bot

to my htaccess

and the hits stopped.

That a proper way to do it or there a better way?


on an unrelated note, is there a way to see bandwidth usage in cpanel?

i remember years ago when i ran a website it showed it looking something like this (googled image)

 

[essellar]

That's as good as any, and you can add bad bots to your environment variable as they make nuisances of themselves. But as AngusThermopyle mentioned, keeping WP patched and up-to-date is important as well - user agents can be spoofed. (And why more of them don't spoof is a mystery to me. It's like sending out spam email with the subject "This is a spam email intended to scam you".)

 

[premiu38]

i think they're doing it again..

but now i can't access my site at all

says

Error 503 Backend fetch failed
Backend fetch failed

Guru Meditation:
XID: 635601064

and using 90 / 100 % cpu

1,024 / 1024 MB virtual memory

50 / 50 processes

:s what can i do to stop this?

 

[Dead-i]

Hi,

I have blocked two IP addresses that were repeatedly attempting to access your website. Your website now appears to be loading.

Thank you,

 

[premiu38]

eh i don't think it will stop for long -.-

they seem to be using a bunch of different ips, and not using that wpscan anymore (faking the agent i guess since it says different browsers)

I guess someone from the netherlands doesn't like me much..

http://i.imgur.com/8JnV1rq.png

Is there a way i can monitor ips sending a lot of requests outside of wordpress?

I didn't see any options in the cpanel for logs.

 

[bdistler]

Is there a way i can monitor ips sending a lot of requests outside of wordpress? I didn't see any options in the cpanel for logs.

not a option
BUT
in cPanel-x3 [ File manager ] - look for the folder [ logs ] - it is above folder [ public_html ] - access log(s) are inside
NOTE: you can [ Extract ] them while in [ File manager ]

 

[premiu38]

i went in the cpanel and into the filemanager but the only thing about logs i see is a folder called "access-logs"

but its empty, and above public_html is public_ftp for me

 

[bdistler]

for me folder [ logs ] is above folder [ mail ] and below [ etc ] on my free-hosting server [ xo3 ]

 

[premiu38]

Eh i don't have it..

is there something i need to do to get it? Like a line in htaccess?

 

[caftpx10]

If you know their UA, you can make it so that it would block them that way. Problem is UA spoofing.
Used IP-Tracker and got some fascinating results:
http://www.ip-tracker.org/locator/ip-lookup.php?ip=94.210.213.221
http://www.ip-tracker.org/locator/ip-lookup.php?ip=85.113.247.5

If you really can't do anything about it, then you may have to deny access from that country (even though they could end up using something like a proxy).

 

[premiu38]

would cloudflare help?

i see sites using that sometimes and i saw an icon for it in the cpanel.

 

[bdistler]

would cloudflare help?

not for your issue in this thread...

from --> [ https://www.raymond.cc/blog/easily-block-visitors-from-a-country-using-htaccess/ ]

Additional Notes: For CloudFlare, you can find an option in “Threat Control” to block visitors from a country but be informed that this feature doesn’t fully ban the visitor from accessing the website. It merely provides an additional security check through CAPTCHA verification. The visitor can still access the website after correctly solving the CAPTCHA. CloudFlare did mention that they may implement full blocking in near future.

 

[premiu38]

Oh so they only need to do cloudflare captcha one time and then they can continue spamming again? it doesn't block after a number of attempts?

 

[caftpx10]

Cloudflare has a set allow time which can be modified, though there's no way of denying it completely.
If it's a bot and not a human doing this then it should only impact CF and not your site, as long as it fails the CAPTCHA. If they do somehow get through then CF will log the successful ones so that you could choose to either whitelist or blacklist them.
In addition, you can IP block the current IP's so that those can't attempt to reach your site (or rather the actual server).

 

[bdistler]

...as long as it fails the CAPTCHA

most 'high-class' bots can get through a "CAPTCHA" with ease
###

...you can IP block the current IP's

they seem to be using a bunch of different ips

so- how to know which IP the bot will use ?
###

...so that those can't attempt to reach your site (or rather the actual server)

if the IP deny coding to block a bot is on your server - how do you 'block' the bot - BEFORE it gets to the server ?
AND
if you can set IP blocking at CloudFlare - which IPs do you use - BEFORE the bots use them ?

my point is - until you KNOW which IP the bot did use or will use - you can not block that IP

 

[caftpx10]

most 'high-class' bots can get through a "CAPTCHA" with ease
###



so- how to know which IP the bot will use ?
###


if the IP deny coding to block a bot is on your server - how do you 'block' the bot - BEFORE it gets to the server ?
AND
if you can set IP blocking at CloudFlare - which IPs do you use - BEFORE the bots use them ?

CloudFlare allows you to deny certain IP's. As I've said, if someone does successfully go through the CAPTCHA, then CF will add that to a temporary allow list, which you can visit and choose to block the IP that appears to be the attacker, according to the site. The IP blocking being done on CF's side.