New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Any reason not to block requests with 'wordpress' in the user-agent string?
So lately, I've seen a few occasions where there's a shit-ton of GET requests coming in together with a user-agent string of 'WordPress/x.x.x'. They're nothing more than a minor annoyance, but given this is reminiscent of the old Wordpress pingback DDoS attack, it feels like it's just worth dealing it now.
This isn't for a Wordpress blog, so is there any reason to allow requests with this user agent to access the site?
Thanked by 1vRozenSch00n
Comments
Well I doubt it will break anything if that's what you're asking.
Imho if it is wasting backend resources (like always firing a db query or a script) i would block it.
If your site is heavily cached and you don't mind wasting bandwidth I couldn't care less about blocking.
But...
I can't think a legit usage from WordPress that justifies sending a GET/POST to a server not running WP. Maybe because of this I would block those requests.
I'm not sure how WP handles pingbacks, trackbacks, etc. but it may be worth investigation. Also, I guess it may to get requests for resources like that.
I would block it I don't want no one hitting my sites with that since it could be the old wordpress ddos pingback attack from way back. just to be safe.
Cheers all.
There is a chance that if the wrong content at the wrong time was hit by something like that I might end up in a tangle, so it sounds like although this is an unsubtle method, it's unlikely to cause any issues.
Isn't it something related to auto upgrade of WordPress? Got an email notification the other day that my WordPress has been upgraded (but that might just my Plesk doing its job).
You probably see these coming legitimately when someones links to you and their option to "Send pingbacks and trackbacks to linked blogs" is enabled. I've seen Wordpress user agents coming from Automattic's range's (wordpress.com), wordpress cron running and such.
"Curl -L iphere" the ip would probably give an idea what site's on the ip.
No idea, I have nothing to do with Wordpress.
I can see the site in the referrer string that comes with the request, which makes me think these are compromised installations (well that and the volume of simultaneous requests). I did think that legit pingbacks were POST requests though?
Probably a combination of a GET and POST. I don't remember exactly, but they obviously need a POST to publish a link with some info on your comments section.
That probably explains it:
https://wordpress.org/support/topic/trackback-spam-3#post-4087979
Hey, anybody know what happened to that tentacle hentai site in the UK? My WP-Robot was autoripping it but it stopped working last night...
No more TentaclesAndSpectacles.co.uk for you!
Go for it, done it on all my webservers to stop those XML-RPC reflection attack thing.
If you don't want ping backs / trace backs or whatever the thing does just block it. Nothing will happen.
http://john.cuppi.net/blocking-wordpress-pingback-ddos-attacks-with-nginx-and-apache/
If you're interested.