More than 14.000 security events registered every day, help!

What is the name of the domain?

elandroidefeliz.com

What is the issue you’re encountering

I have a lot of security events (+14.000) registered every day. Most of them target the path /wp-json/tdw/save_css but Cloudflare’s firewall stops them. The problem is that these attacks happen every few seconds, so I assume this is a security threat that’s also slowing down my site.

What steps have you taken to resolve the issue?

Analyzing the sources of the events, I see that about 4k of them come from my own website’s hosting server, so probably my site is infected (it was infected in the past but cleaned by a cybersecurity firm). But other 4 thousand events come from an external IP (94.102.51.95) that has a lot of URL reports when you try to investigate it with Cloudflare’s Security Center Investigate tool.

The remaining events come from different IPs that have been previously reported as “brute force” and “bad web bot” category in AbuseIPDB tool’s database. Most of the attacks come from Netherlands, France, Ireland and United States. My website is hosted in Spain and it’s in spanish language.

Now I’m trying to scan my server for malware code, so maybe I can get rid of the 4.000 attacks that origin in my own server. But is there something I can do to prevent those external attacks? As I say, Cloudflare’s firewall is blocking them, but I need to make them disappear.

What is the current SSL/TLS setting?

Full

Screenshot of the error

You should review the requests… it’s possible those requests are coming from your origin to URLs because your origin resolves the hostnames to the Cloudflare IP and not the local IP address causing requests to buttonhook unnecessarily and may not be evidence of a security issue at all.

3 Likes

Hi cscharff,

Thank you very much for your fast reply. I’ve looked at the requests and here’s a screenshot with a couple examples of what I see (most of them are GET and POST requests):

I’ve also checked one of the source IPs (with more than 3k requests today) and this is what Cloudflare shows about it:

Those domain names look a little bit suspicious, but I don’t know what this means exactly.

About your theory, if those events are caused by Cloudflare IPs, how is it possible that they’re located in countries like Netherlands or Ireland, if my site is in spanish and most of my visitors come from Spain and South America? Shouldn’t those IPs be registered in the nearest countries like Spain or Mexico?

Thanks again for your help. Best regards,
Aitor

I was speaking to the 4k requests from your own IP you believed to be malicious.

You are looking at security events the others are already being addressed by are they not?

None of those are Cloudflare IPs, you will need to revisit what I wrote. It applies to your origin server requests specifically.

Yeah, you’re probably right. I’ve scanned and audited my site and it looks like it’s clean.
About the other events that already are being taken care of by Cloudflare Firewall, is there anything I can do to make them stop targeting my site? It’s been going on for months and there’s thousands of them every day.

Thank you very much and best regards,
Aitor

You could block countries if you are confident that no visitors from those countries should be allowed. They will still show up in the logs though.