DNS level protection for attack

I discovered multiple attempt of login at my wordpress panel from many IP.
Ive read about the possibility to defence by:

Due to the large scale of this botnet attack, CloudFlare has offered DNS level filtering for this attack on all of their free accounts.

I attach an image, every hour tons of this attempts.
I’ve changed my login password to a extralong one but i’m scared.
What is the correct procedure to apply that DNS filtering?
I’ve wordfence in learning mode and i’ve activate all login attempt limitations

1 Like

If your website ever goes under attack, the first thing u should do is active IUAM (I’m Under Attack Mode). For first steps when under a DDOS attack visit Under DDoS Attack! First steps

Thanks.
I’m activating with your guide & by contacting my provider.

I’m making a total backup with filezilla & of database

BTW what’s the link of your website?

I have only a little blog. My hosting as the only answer advised me to view the generic guide of this site for ddos bot. I’m scared now even at reveal the url here.

It’s really frustrating.
I’ve put all my effort into it all these years just out of pure passion by putting money back on it and targeting people like me.

This looks like a bruteforce attack rather than a DDoS attack, consider using Page Rules or CF Access to fully mitigate this kind of attack.

I would rather suggest using Firewall Rules than Page Rules.

In that case, you can use Cloudflare Firewall Rules to block all countries except your only, or your IP address for /wp-login.php using the Firewall rule like below.

You can combine to either allow only from one or multiple countries, or even block all except one or few countries.

The Firewall rule from above screenshot for example has an action Block everyone trying to acces /wp-login.php except the users of Country Croatia.

Put it from “Learning mode” to “Enable and blocking”. From the screenshot above, I see you are using WordFence - that is good thing.

Check your security options at Cloudflare too.

Make sure your DNS records at Cloudflare dashboard are being proxied via Cloudflare (:orange: cloud).

2 Likes

Absolutely, I tend to mix the names of page rules & firewall events, my bad.

Thank you. I thought it would be helpful to let it end the learning period (it’s still a few days away)… So you advise me to stop it now? Thanks for your advice.
on cloudflare and the screen. After work I will try

And about under attack mode?
With medium Level i have to disable it first.

Ftp services Need dns protection? Orange icon? After i put at a screen shot…

The learning modes, in general, are a bit exaggerated and aim to create a placebo effect (oh, my firewall is learning, it will be awesome in some days).
Truth is that it won’t be that relevant, there are exceptions to this, and that is a huge amount of data that you can categorize obtained from either 1) owning a big website or 2) running a huge network and have access to that much data, just like Cloudflare.

Your best bet is to cut the issue from the root and use firewall rules as @fritexvz suggested.

FTP record at DNS dashboard at Cloudflare should be :grey: cloud if you are using your hostname like ftp.yourdomain.com when connecting via FileZilla or some other FTP client.
Otherwise, if you know the IP address, you can always connect via IP and remove that record from DNS dashboard.

Ok. I’ve setted filters.
In Cloudflare DNS i have all proxy except webmail and ftp but i have also this values not flaggable to proxy:

SRV _autodiscover._tcp 0 0 443 cpanelemaildiscovery.cp
TXT mysite google-site-verification=ranunHP…
TXT mysite v=spf1 +a +mx +ip4:31.22.4.88 +ip4
TXT default._domainkey

all AUTOMATIC ONLY DNS

1 Like

Great!

For that kind (type) of records, that is normal to be as is :wink:

1 Like

If you use firewall rules ask your hosting to restrict traffic to only Clouflare. Some hosting do this by default, some others you have to ask for.
I use a firewall rules to protect all sensitive wp files including login, and I have 0 brute force attack.

Thanks. I writed to my technical support.

This is my situation (day/week/months). First attack on December. Second attack in March. 25 and 26 my site was off for extra bandwitch.
Ive setted up filters

but i’m scared.

You can enable Bot Fight Mode in:
Firewall>Bots>Bot Fight Mode

1 Like

Regarding the provided screenshot, how can you know it was an attack?

Moreover, is your domain proxied via Cloudflare? (:orange: cloud DNS records at Cloudflare dashboard)

Regarding your WordPress and Wordfence plugin and Cloudflare, you can really achive a lot if using both in combination.

Today I checked all the March logs from my cpanel and I discovered that these are the ones who consume the bandwidth

im tryng this

im setting also this:

Small update.
I’m setting up more targeted rules based on the firewall results.
I set the htaccess block to up_auto_log = true after today’s attack
today they are trying to access wp_content many times and point to plugins folders that I don’t have, I think to look for vulnerabilities.

Create a Firewall rule like this (block all requests to direct .php files under wp-content directory, except wp-cron.php in case) to block them:

(http.request.uri.path contains ".php" and not http.request.uri.path contains "wp-cron.php" and http.request.uri.path contains "/wp-content/")

If you would like to :search: for more, try here:

You can also use IP Access Rules to block the whole ASNs or Firewall Rules to block some other spider User-agents, crawlers, etc.

Here:

All available options are listed here, make sure to check out too:

Moreover, as this topic is going on, I believe it would be more likely you would need to look up at the suggested links to learn and apply the needed security level and protection options available to you for your WordPress while your domain is being proxied via Cloudflare using Cloudflare service, and as Cloudflare protects your Website at DNS level already :wink: