Protecting WP-Content

I have been seeing suspicious GET requests to various files in our Wordpress /WP-Content folder. I use WP-Cerber Traffic Inspector to study these requests. One of the main folders targeted is the images in /WP-Content/Uploads. However each of the request gets a 404 error as the last few characters of the genuine image has been replaced with the following - %E2%80%A6

I set up a Cloudflare firewall rule to block these requests. Studying the Firewall log in Cloudflare, I can see that the requests come into Cloudflare as valid file names that do exist in /WP-Content/Uploads. Therefore, I conclude that (when there is no Firewall rule) Cloudflare is modifying the file name with the %E2%80%A6 as a security measure. Am I correct in thinking this ?

Also, with a Firewall rule blocking /WP-Content access, I also see many blocks on /WP-Content/Plugins and /WP-Content/Themes. I do not see these in the WP-Cerber logs when the Firewall rule is turned off. Therefore, is Cloudflare blocking these request as a default behaviour ?

As a general point, I do not see any valid requests from Whitelist IPs to the /WP-Content folder - so am inclined to block all access.

Thanks for your thoughts.

This might be a good use case for Normalizing URLs.

1 Like

Thanks - I am using a Transform Rule to modify incoming parameters, but for another issue that is not a security one. I have Firewall Rules set for the issue I refer to in this post and am trying to understand what Cloudflare does as default.

I’m not sure what the question is. You said you saw % characters in your inspector, so you created a firewall rule to block these. Bu when you check the blocked requests in the firewall rule, those characters don’t show up. It sounds like the firewall log just doesn’t show those characters.

But you think Cloudflare modifies these without an active firewall rule, yet you see these requests in your inspector. This sounds contradictory.

Also when the firewall rule is off, you don’t see these requests in your inspector. It’s quite likely because they’re cached.

I suggest that you not block access to the wp-content directory.

I just checked what %E2%80%A6 decodes to, and it’s an ellipsis (…)

That’s certainly interesting, so I have no idea what’s generating that. It could very well be that whatever is trying to scrape your site has a character limit.

Hi - thanks for looking at this. It’s not easy to describe and I guess not easy to understand.

What I see in the Inspector log is typically : /wp-content/uploads/2017/10/Everyday-Fruit-Cake%E2%80%A6 - this gets a 404 response.

If I switch on a FW rule to block access in CF, then I see this (obviously a different time but similar request) : /wp-content/uploads/2017/10/Everyday-Fruit-Cake-pin-1-150x150.jpg

Personally, I am unclear as to why these requests are being made as normal access is via a recipe page that contains the images. Therefore I am suspicious as to what is going on as there are many of these from IP addresses that I am not sure about.

As regards your comment on requests being cached - that does make sense.Thanks.

I take your point about allowing access to the WP-Content directory. I just need to be sure that we are not at risk and why these files are being requested outside of a normal page access.
Thanks for your time on this. Keith

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.