What is the name of the domain?
What is the error number?
N/A
What is the error message?
N/A
What is the issue you’re encountering
For my extremely-low-traffic websites, I use WordPress + the WordFence plugin + some sort of caching system (I’m still undecided about which one is ‘better’), and, of course, Cloudflare on top of all that (free tier).
Everything is strictly TLS’ed and there is what I consider a reasonable amount of protection on top of everything.
And at the ‘bottom’, so to speak, I additionally use fail2ban to scan through logs to catch even more cases, blocking these individually at the local firewall, at Cloudflare’s firewall, and, for good measure, report them to AbuseIPDB.com as well.
The WP back-office is additionally protected with Google ReCaptcha v3 and 2FA, and, in general, there are really very few legitimate users there. Every now and then, someone grabs one of those databases with well-known vulnerable user/password combinations, and starts doing a long check for hours and hours, to see if any of the logins goes through.
They naturally use different IP addresses (a lot of them, both IPv4 and IPv6) from different providers (including the one I’m leasing a bare metal server from!), and random user-agent headers. To pass the rate limiting threshold (set at three different levels…), it gives plenty of time to make a login request from the same IP address again — like hours, probably — but they have enough IP addresses (possibly hijacked for a botnet) to rotate among them randomly and therefore avoid getting detected by any (known) ML algorithm.
They keep doing this for hours and hours and hours, even if they just do one or two requests per second (at most); sometimes they do a pause for a few hours, and then come back, at leisure, to continue their attack from where they were.
Needless to say, “I’m Under Attack!” keeps them at bay, a least for a while.
Now, since those websites have so little traffic, I can afford to have this mode turned on for days or even weeks, if necessary. However, I wonder what impact that has over legitimate bots, crawlers, spiders, AI bots, and so forth; because I actually want them to index as much data as possible.
How do the two mechanisms work together? Can I rely upon legitimate bots to go through (i.e., legitimate bots will not need to pass the JS Challenge), while the unknown ones are kept away? Or does this mean that everything gets JS-challenged — including bots?
Thanks for any clarifications!
What steps have you taken to resolve the issue?
- Switch “I’m Under Attack!” mode on. Problem solved. But… what about the bots?
- I searched around the Community Discourse as well as on Google to see if there are other, more appropriate guidelines to follow in such a scenario, but I couldn’t find any; nor could I find any reference to using “I’m Under Attack!” in conjunction with Bot Fighter Mode (which allows the legitimate bots through). I’m not saying that this information isn’t there; I’m just saying that I didn’t find it!
What are the steps to reproduce the issue?
- Install
nginxwith reasonable levels of security and protection. - Install WordPress, WordFence, Google Captcha, Jetpack, etc. and whatever plugins you love.
- Install
fail2ban. - Turn all possible security options on that you can find on the Cloudflare dashboard (free tier in my case).
- Wait until you get a hacker wannabe using a reasonably large botnet and run a database of leaked user/password pairs against the WordPress back-office login…
I’m joking, of course. Anyone will have done 1.–4. to a degree or another. And the waiting part is obviously unpredictable!