Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Any reason not to block requests with 'wordpress' in the user-agent string?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Any reason not to block requests with 'wordpress' in the user-agent string?

NekkiNekki Veteran
edited February 2016 in Help

So lately, I've seen a few occasions where there's a shit-ton of GET requests coming in together with a user-agent string of 'WordPress/x.x.x'. They're nothing more than a minor annoyance, but given this is reminiscent of the old Wordpress pingback DDoS attack, it feels like it's just worth dealing it now.

This isn't for a Wordpress blog, so is there any reason to allow requests with this user agent to access the site?

Thanked by 1vRozenSch00n

Comments

  • perennateperennate Member, Host Rep

    Well I doubt it will break anything if that's what you're asking.

    Thanked by 1Nekki
  • DarwinDarwin Member
    edited February 2016

    Imho if it is wasting backend resources (like always firing a db query or a script) i would block it.

    If your site is heavily cached and you don't mind wasting bandwidth I couldn't care less about blocking.

    But...

    I can't think a legit usage from WordPress that justifies sending a GET/POST to a server not running WP. Maybe because of this I would block those requests.

    Thanked by 1Nekki
  • I'm not sure how WP handles pingbacks, trackbacks, etc. but it may be worth investigation. Also, I guess it may to get requests for resources like that.

    Thanked by 2Nekki vRozenSch00n
  • I would block it I don't want no one hitting my sites with that since it could be the old wordpress ddos pingback attack from way back. just to be safe.

    Thanked by 2Nekki vRozenSch00n
  • Cheers all.

    There is a chance that if the wrong content at the wrong time was hit by something like that I might end up in a tangle, so it sounds like although this is an unsubtle method, it's unlikely to cause any issues.

  • Isn't it something related to auto upgrade of WordPress? Got an email notification the other day that my WordPress has been upgraded (but that might just my Plesk doing its job).

  • You probably see these coming legitimately when someones links to you and their option to "Send pingbacks and trackbacks to linked blogs" is enabled. I've seen Wordpress user agents coming from Automattic's range's (wordpress.com), wordpress cron running and such.

    "Curl -L iphere" the ip would probably give an idea what site's on the ip.

  • heachhog said: Isn't it something related to auto upgrade of WordPress? Got an email notification the other day that my WordPress has been upgraded (but that might just my Plesk doing its job).

    No idea, I have nothing to do with Wordpress.

    GM2015 said: You probably see these coming legitimately when someones links to you and their option to "Send pingbacks and trackbacks to linked blogs" is enabled.

    I can see the site in the referrer string that comes with the request, which makes me think these are compromised installations (well that and the volume of simultaneous requests). I did think that legit pingbacks were POST requests though?

  • GM2015GM2015 Member
    edited February 2016

    Probably a combination of a GET and POST. I don't remember exactly, but they obviously need a POST to publish a link with some info on your comments section.

    That probably explains it:

    https://wordpress.org/support/topic/trackback-spam-3#post-4087979

    Nekki said: I did think that legit pingbacks were POST requests though?

  • raindog308raindog308 Administrator, Veteran

    Hey, anybody know what happened to that tentacle hentai site in the UK? My WP-Robot was autoripping it but it stopped working last night...

    Thanked by 2Nekki linuxthefish
  • @raindog308 said:
    Hey, anybody know what happened to that tentacle hentai site in the UK? My WP-Robot was autoripping it but it stopped working last night...

    No more TentaclesAndSpectacles.co.uk for you!

  • Go for it, done it on all my webservers to stop those XML-RPC reflection attack thing.

  • If you don't want ping backs / trace backs or whatever the thing does just block it. Nothing will happen.

    http://john.cuppi.net/blocking-wordpress-pingback-ddos-attacks-with-nginx-and-apache/

    If you're interested.

Sign In or Register to comment.