Too many requests per second to /wp-content/uploads/ (wordpress)

When I activate under attack mode I see too many requests (filtering service: security level) under the path /wp-content/uploads/, sometimes up to 8, 10 times per second from the same IP.
Those images paths are valid, for example /2021/03/31-3.jpg or in the same second /2020/10/B4-21-100-780x470.jpg. Some times are old images, this was logged yesterday
Several IPs shows same behavior, several times a day
My question is, is this normal ? (doesn’t seem to be), and if not, how can I control it, I just can’t keep adding firewall rules since those IP will change.

That you for any help on the matter.

You may want to consider Rate Limit. You can apply a Rate Limit rule to a specific path(s) or domain.

It is a scalable solution when dealing with DDoS attacks as you can limit how many times an IP can hit your server or resources.

Take a look at the following docs:

You can also apply Firewall Rules, however, if the IPs change as they do with a distributed attack, then adding rate limit as an additional layer of protection will come in handy here.

1 Like

Thank you for your reply blas.
Do you think this is not normal? doesn’t seem to be bots, because the ASN shows a regular provider, sometimes is the same ASN as mine.

I did try to create a firewall rule to /wp-content/uploads, but with not success (unless I have to move it to the top of the firewall rules list). I dont know if it is logged because they write this whole URL on the browser or it is part of a readed post.

I have a the same behavior with another Wordpress paths, for example to:
/wp-content/themes or
/wp-content/plugins, etc.
The same, I dont know if it is something normal or not, because they access different paths, from the same IP, 2-3 times per second, extended for 4-5 seconds.

Thank you again

So it’s not just a user’s browser quickly requesting all the assets that make up a page on your site?

Hi, thank you for your reply.
Apparently those request are valid, and can’t be managed as I thought (with a FW rule)
I did move to the top of the FW rule list a rule for /uploads/ (JS Challenge), after that moment some of the homepage images (new ones) appeared broken, so had to delete it.
I thought that those urls were requested directly some how, but I think not.
Happened the same when I saw a hundreds of requests to favicon.ico, so I made a rule to challenge it, after that I saw an error on the browser, a 503 error when retrieving the favicon, so at the end those also were valid requests, removed the rule.
Happened again when tried to block some wp-json calls to authors and categories (saw a lot of them), thought was a bot, probably some of them, but then again discovered that those were used internally.
I guess Im still learning.
Thank you!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.