Hey guys, remember this status where I mentioned GPORG’s 404 logs containing more traces of bots trying to find exploits than actual 404s?

A few days ago, I found about 20+ 404s of very suspect URLs, from the same user agent, all within the span of a minute. And while this wasn’t the first time I found this many 404s from a single bot, it did make me think, hmmmmm, maybe I should think about doing something about these exploit finding bots?

Disclaimer: I don’t work for Cloudflare and am not an affiliate. I’m just a happy user of their free plan.

Then I remembered seeing something about a Bot Fight Mode in their settings somewhere.

Firewall > Bots > check the box for Bot Fight Mode

(There is a SUPER BOT FIGHT MODE, which I guess gives you control of how it fights bots? But I don’t know anything about it, since I’m only a free user and it’s not available to me.)

So now my 404 logs are more like this:

Notice that 8 hour gap in between the first two 404s??? 😱

And in Cloudflare, Firewall > Overview:

(There were 8 pages of this, btw. Most of them from the same bot.)

So yeah, it’s working awesomely. 👍

(And here, this is where I would mention alternatives for people who don’t use Cloudflare just to prove that I’m not trying to push people to sign up, but sadly, I don’t know of any. Sucuri, I guess?)

Re: Country Blocking

Also, on another note, notice that the country says United States? This is why I don’t believe in country blocking. Not only can the bad guys mask their location, folks from the “weird” countries (like Russia, China, India, etc) might be some normal people who just want to check out your site. And also, exploit finders can also legit be from the US (or Canada, or the UK, or Australia).

Re: IP Address Blocking

Folks might be wondering, why just not just block the IP address? IP addresses aren’t really that permanent:

  • They can change just by someone resetting the router.
  • Those of us privacy-minded folks who use VPNs, our IP addresses change whenever we connect to a server.
  • People who make it their life’s work to find exploits on people’s sites wouldn’t use a fixed IP address. So if I were block the one in the screenshot, it would work great for about a day (whenever bots switch IPs), then when the bot moves onto a new address, the old one (52.142.62.44) could end up with some poor shmoe, who is now blocked from my site even though they didn’t do anything wrong.

For me, the answer to great WordPress security is:

  • using strong passwords (randomly generated 20+ character string of upper and lowercase letters, numbers and special characters) stored in a trusted password manager
  • 2FA if able
  • using reputable plugins and themes
  • removing unused plugins and themes
  • getting a good security plugin (I like WordFence, but I hear a lot of good things about Sucuri)

^Not a complete list, btw.

– THE END –