D
D
Dmitry2016-04-15 19:04:13
In contact with
Dmitry, 2016-04-15 19:04:13

How to protect yourself from a DDOS attack by requesting al_profileEdit.php on a WordPress site?

Good afternoon, colleagues. I need your help.
There is a site on shared hosting and CMS WordPress.
If I understand correctly, then a DDOS attack is underway on the site - every day, several dozen similar requests per minute appear in the logs, which heavily load the server.
The first one looks like this:
178.129.92.121 - - [02/Apr/2016:18:40:52 +0300] "GET /al_profileEdit.php?__query=edit&al=-1&al_id=vk HTTP/1.0" 403 2862 " mysite.ru/ category/post.html " "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36"
The second one has a slightly different tail after al_profileEdit.php and looks like this:
178.129.92.121 - - [02/Apr/2016:18:40:52 +0300] "GET /al_profileEdit.php?__query=edit&act=contacts&al=-1&al_id=vk HTTP/1.0" 403 2862 " mysite.ru/category/ post.html " "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36"
Where:
— mysite.ru/category/post.html is my URL convention 'a accessed by the attacker. Most likely, just the most “heavy” was chosen as the victim article;
- instead of 403 there is also 404;
- instead of 2862, there are other values, for example, 2892 or 30392.
There is no al_profileEdit.php on my site. In the results of search engines, this file is associated with the social network VKontakte.
The attack is conducted every day from different IP addresses, here are some of them :
109.187.175.241
109.187.180.170
178.129.26.148
178.129.92.121 Maybe add some code to .htaccess to disable this kind of requests? Or are there other ways? PS There is another thought that this is not an attack, but an attempt by some parser or spammer bot to somehow interact with the VKontakte widget located on the site. Or still an attack, but somehow related to this widget.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
A
Andrey, 2016-04-15
@AndreyMyagkov

The load from the fact that your WordPress processes these requests, so you need to redirect these requests, bypassing WordPress:
a) in .htaccess, deny access from these IP subnets - some of the bots will be immediately filtered out
b) in .htaccess, make a 301 redirect from al_profileEdit.php to IP bot
or
c) create an empty file al_profileEdit.php

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question