You're right. This site gets absolutely hammered by bots
Sat Apr 03, 2021 1:46am
Trying out generic WordPress, PHP vulnerabilities and HTML form/query string combinations. (Using A=whatever in the query string is a very common one for some reason.)
I did end up using regular reCaptcha 2 on the create account, forgot password and subscription pages though. I originally didn't have it on the subscription page and I had a bot that found that page and started blasting out subscription email confirmations to random email addresses. Since the recaptcha was added, I haven't had that issue since.
Another interesting one that I got was a bot sending bogus/malicious data in the HTTP headers to different pages. It actually ended up flooding my stats table one day because I didn't have a check to make sure the value was an IP v4 or v6 address on the X-FORWARDED-FOR header. (You live and learn!)
Last interesting one was there was a person from Turkey (or through a VPN that "whois"d the source as being in Turkey) a few months ago that was manually trying to post exploits through the Help board POST actions. At first I thought it was a bot but after looking through the logs and stuff, it was definitely just a bored person. Why even bother with this site? Anyway, they were banned once I caught them.
I'm guessing a "roll your own" would probably be as sufficient for 99% of cases but the recaptchas work. I have a sort-of "roll your own" that's automated on the posting of messages/replies that seems to work so far. Having to do a reCaptcha on a forum post would be awful. I hope it never comes to that as most people who use this site don't create an account (though there are a surprising amount that do!) and it would make the posting experience from non-logged in users terrible.
pages don't seem to get hit. *knock on wood* An example (from my reply to Retna's post) was the subscription page that originally didn't have one and got hit but after adding one, it's no longer hit.
I'm guessing this small site isn't worth the resources and it's like having an alarm system sign... more
absolutely hammered. Other pages were untouched, but that one comments page was posted to something like 800 times by bots.
They haven't cared to register and comment, but I also turned off comments on posts older than a year (and all of them are now) so the page isn't seeing anything at all.
I'm sure lots of bots are programmed to look for WordPress boilerplate and HTML structure. But how many surf the web looking for a form that has an field name "answer" and somehow know to fill out that field using the math question nearby? And to do that on a small website like this where there's ... more
You're right. This site gets absolutely hammered by bots- Erik_,Sat Apr 03 2021 1:46am
anything you want (like A=whatever) would be a good start. I remember seeing a technique published years ago where a form element was hidden (and thus the user would never see it) and its presence or absence was looked for when the form submitted. That only worked so long, though, as bots learned ... more
I have to specify which query params I want to accept (if any) in the method's parameters. So, if a user enters "?howdy=yall" and I'm not set up to look for a query param named "howdy", it gets completely ignored which is nice.
Example for the RSS controller's mapping to get the RSS feed of a m... more