BOT Spamming

Hi All, i have a WordPress site with WooCommerce and last few weeks i have had a lot of spam traffic. However the last 24 hours a certain IP in USA tried to create hundreds of fake accounts (i have since blocked that IP via Wordfence and now in Cloudflare. Almost instantly, the tactic has changed and now im seeing constant requests for password recovery but each by a different IP and several countries (this shows in Wordfence/Firewall). I have the Pro Plan version of Cloudflare and updated to the Super Bot Fight Mode and DNS is via Cloudflare to my hosting provider. Should Superbot be helping block these spam attacks that are happening every few seconds? otherwise what kindof of rule could i possibly use? thanks

Is your DNS record proxied? If it is set to “DNS only”, requests aren’t passing through Cloudflare.

Assuming your record is proxied, SBFM should be helping, you can look in your security events log to see…
https://dash.cloudflare.com/?to=/:account/:zone/security/events

The simplest solution to get started is to use the WAF to challenge all requests to pages with forms and logins to filter humans from bots.

2 Likes

Thanks for the reply. DNS is proxied and i am seeing 1 item in the event from this morning for BOT Fight Mode. Im very new to Cloudflare and in WAF i enabled the “Cloudflare Managed Ruleset” to “Manage Challenge”. Was this the simplest solution you was thinking of? Cheers

1 Like

I’d just like to note here that this may be part of a broader attack. Over the last few days, a particular user in our organization has received several hundred of the types of emails that you describe (account creation, followed by password recovery) from WordPress eCommerce sites, some of which are stamped with WooCommerce. They may be trying to leverage vulnerabilities in unpatched WooCommerce plug-ins?

1 Like

Thanks Dan - makes me wonder if it had anything to do with the huge TicketMaster hacking. Blocking the first 24hr wave of the fake user creations by IP was nice and simple and that has stopped now. Seems the best way like SJR suggested which took me a little moment to work out but created a separate rule in WAF and used “URI Full” with my password reset page URL with action of “Managed Challenge” which worked a treat. Again mainly last about 24 hours and only about a 10-20 blocks each day since compared to 10k in one day. I can only assume they were trying to create the accounts to then create fake comments to include dodgy/spam links off to other bad websites.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.