WAF - breaking wordpress - admin-ajax - php exploit

If I ‘managed challenge’ URI containing admin-ajax, weird parts of wordpress break.

But my linux server is finding tons of malicious files being uploaded to domain/wp-admin/admin-ajax.php

Is there any way to stop this upload traffic?

e.g. scan message from my server
(compressed file: .sp3ctra_XO.php [depth: 1]) Known exploit = [Fingerprint Match] [PHP Upload Exploit [P2000]]

Anyone?

Depending on how the uploads are being preformed, then you could disable all but GET requests to the file.

admin-ajax.php is weird. It’s in wp-admin but it’s called from the front-end as well as the back-end, so blocking access to it will break stuff, depending on what themes and plugins you are using.

Traffic to it can be normal. Infinite scroll plugin? Ajax search for Woocommerce? It’ll call that endpoint. It could be your theme, too. How do you know the traffic is malicious?

It well could be. Lots of probes happen to various Wordpress files. For fun, I created a WAF rule for any .php URLs (on a Pages site that obviously doesn’t use PHP) just so I could enjoy seeing all the probes in the WAF logs. :joy:

But yeah, you can’t block access to that URL or your site will break.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.