If a website is suffering a constant DDoS attack (about 2 weeks), with at some points over 2000 ip addresses hitting it (although now seems to be less than 10 but still continuing with several per minute now - was thousands of hits per minute previous which crashed the server until I set it through Cloudflare), they keep trying to hit URI /wp-admin/admin-ajax.php, are they able to find out login details from that URL and by continuously spamming it, even though the firewall is showing the attempt as blocked?
I would guess not, as it is showing as blocked, but if they can’t, what would be the purpose of them carrying on with the attack? Any help/advise would be appreciated 
why not just check you server logs and see if they able to bypass the firewall?
if they actually getting blocked and they still trying, sometimes its some kids thinking because the request got blocked it actually meaning your site is down and they just keep “putting your site down” as they believe its working.
or it may be again some kid that enabled the attack and just let it run he doesn’t even check the results as he don’t care(maybe someone paid him a little for that)
Thanks Boynet2 for your reply, not quite sure how to exactly check the server logs as never done it but will look into it now (still quite noobish at a lot of these things!), i think my main concern was that, is there a way for them to login using the /wp-admin/admin.ajax.php , is it actually a method you could use, if I type it in (with dealers website at start), I just see a number come up on a webpage, but would a hacker be able to try that to access a website or to locate correct login details, or do you think its just an attempt to overload the server with traffic?
I am considering moving their email to a different server altogether and then asking my main host company to change ip for main website and to keep it “orange clouded” to block them from viewing the new ip, do you think that would be best solution?
yes… it also can be some wp plugin you installed who make all the requests to this url
if your site not is not “orange cloud” you should change it to orange and only than change your host ip(also read about how to secure your server when using cf to block all non cf requests)
You could just create a Cloudflare Firewall rule such as (http.request.uri contains “/wp-admin” and ip.src ne your_static_ip_address) with action Block or Challenge (Captcha)
Thanks Boynet2 for earlier advice, I tried de-activating all plugins on the website but the requests were still continuing, so I think it rules out the plugin possibility. The website is “orange cloud” already (but they already had ip) but hoping to switch it to new server too, to hopefully lose them. I have set the following to “orange cloud” : A-autoconfig, A-autodiscover, A-actualwebsitename, CNAME-www. The only other ones that have “clouds” that are grey now are A-mail, CNAME-imap,CNAME-pop, CNAME-smtp, should I set any of these to orange as well or would that affect the email?
Withheld - I just tried that firewall rule (for requests that contact wp/admin), without whitelisting my ip, and tried to login, and it let me login fine, yet it showed up on the firewall page on Cloudflare as blocked, but it wasnt as I got in and was able to do things, which concerns me that its showing the potential hackers as blocked on the firewall page, but maybe they are getting through, will need to go back to host company again to check the server logs I think.
Thanks again both for your help with this, most appreciated!
Can you post the Firewall Expression Preview? Also, was the Firewall action set to Challenge, Captcha or Block?
Yes sure, it was set as below I had set it to:
Field : URL
Operator : contains
Value : /wp-admin/admin-ajax.php
Then : Block
Just to see if it would block me accessing, but I could see it allowed me in, but showed up with my ip on the BLOCKED list on Cloudflare.
(I also tried adding the Heartbeat Control plugin, to turn off the heartbeat (for Dashboard, front end and post editor) just to rule it being nothing with theme/plugins, but the “attack” has still continued.)
Just put URI path contains /wp-admin That will stop access to everything in the admin folder, Leave out the trailing /admin-ajax.php
Thanks Withheld, I just tried doing that now (but without setting it to allow my ip) but it still let me log into the website, didnt show up on the block list either that time. I tried setting one as an ip block, to my ip address, that worked (and showed up in log) but not sure if the other ones are actually getting blocked that it says are, so now, as the number of IP addresses they are using has reduced dramitically (was over 2000 in 24hrs at one point but now just half a dozen, although the do change), I might try adding them manually (as well as keeping in the block for China/Hong Kong to see if that helps).
As mentioned above, long term, we plan to switch to new server, would the settings I mentioned above about the “orange cloud” status be correct for if we move to new server, to stop hackers being able to locate them?
i.e. I have set the following to “orange cloud” : A-autoconfig, A-autodiscover, A-actualwebsitename, CNAME-www. The only other ones that have “clouds” that are grey now are A-mail, CNAME-imap,CNAME-pop, CNAME-smtp, should I set any of these to orange as well or would that affect the email?
Hope you can help with this and really thank you for earlier help/comments
one other question - I just noticed when logging into wordpress, when I try and click on the theme framework on there (where you can adjust things) it doesnt seem to be “connecting”, i just get the spinning circle thing and not allowing me to do any changes - do you think that could be the cause of it maybe? i.e. could be theme related as opposed to plugin related, as first though? Theme has been fully updated but has had modifications in the past, they are all still there after update and not been overridden but maybe its one of the mods done that has caused this, although why it suddenly started happening would be unsure.
Turn off the test Firewall rule you just created and see if that works.
Thanks Withheld, it says on that they suggest to leave autodiscover as grey but all seems to be working ok as orange, just trying to hide ip as much as possible, rest seem to be set as they suggest.
I tried turning off all Firewalls to see if it allowed the main theme page to show but it didnt, I have emailed the theme developer for advice, as wondering if that is was is causing the “pinging” all the time, to see if there would be a reason for it to cause traffic via Hong Kong/China, although, I did notice on the firewall logs, there was a couple of attempts from China trying to access wp/login as well (only a few). Will wait to see what theme developer comes back with, if they say it may be theme related, will get a coder in to try to fix the issue (needs fixing anyway really in case we want to change options), if not, think best course is to switch server, as this has gone on for about 3 weeks now altogether, not sure if they are ever going to give up if it is someone trying to access it. Thanks once again for all your help!
This topic was automatically closed after 14 days. New replies are no longer allowed.