My WordPress server keeps getting knocked offline by hackers running vulnerability scans. When I check my logs I see thousands of lines like this: ( I replaced the domain name with ***'s)
/var/log/httpd/ssl_error_log-20210307:12682:[Mon Mar 01 03:41:14.012378 2021] [access_compat:error] [pid 20560] [client 66.249.66.223:59346] AH01797: client denied by server configuration: /var/www/**********.com/account.php
There are thousands of these and they all happen at the same time like a DDOS attack. They try other urls too, it looks like a list of known plug-in vulnerabilities. Reverse IP lookup on 66.249.66.223 shows it is Google-bit but this is clearly not true so I can only assume they are spoofing the IP.
I am using CloudFlare and could put in a firewall rule to trigger blocking any IP that requested the url /account.php but then I will be blocking GoogleBot from crawling my site. I'm stumped.
My Answer:
One way to block vulnerability scans when hackers are spoofing Google-bot's IP address is to implement a more sophisticated firewall rule that takes into account additional factors beyond just the requested URL. For example, you could create a rule that blocks any IP address that requests a suspiciously high number of URLs within a short period of time, or that exhibits other suspicious behavior indicative of a vulnerability scan.
Additionally, you could consider implementing a Web Application Firewall (WAF) that is specifically designed to detect and block malicious traffic, including vulnerability scans. Many WAFs have advanced features such as behavioral analysis and machine learning algorithms that can help differentiate between legitimate and malicious traffic, even when the attackers are attempting to disguise themselves as Google-bot.
It's also important to regularly update and patch your WordPress server and plugins to minimize the likelihood of successful attacks. Keeping your software up to date can help prevent hackers from exploiting known vulnerabilities in outdated versions.
Lastly, consider reaching out to your hosting provider or a cybersecurity professional for assistance in implementing more advanced security measures to protect your WordPress server from vulnerability scans and other malicious activities.
Rate this post
3 of 5 based on 3053 votesComments