You're right. This site gets absolutely hammered by bots
Sat Apr 03, 2021 1:46am

Trying out generic WordPress, PHP vulnerabilities and HTML form/query string combinations. (Using A=whatever in the query string is a very common one for some reason.)

I did end up using regular reCaptcha 2 on the create account, forgot password and subscription pages though. I originally didn't have it on the subscription page and I had a bot that found that page and started blasting out subscription email confirmations to random email addresses. Since the recaptcha was added, I haven't had that issue since.

Another interesting one that I got was a bot sending bogus/malicious data in the HTTP headers to different pages. It actually ended up flooding my stats table one day because I didn't have a check to make sure the value was an IP v4 or v6 address on the X-FORWARDED-FOR header. (You live and learn!)

Last interesting one was there was a person from Turkey (or through a VPN that "whois"d the source as being in Turkey) a few months ago that was manually trying to post exploits through the Help board POST actions. At first I thought it was a bot but after looking through the logs and stuff, it was definitely just a bored person. Why even bother with this site? Anyway, they were banned once I caught them.

I'm guessing a "roll your own" would probably be as sufficient for 99% of cases but the recaptchas work. I have a sort-of "roll your own" that's automated on the posting of messages/replies that seems to work so far. Having to do a reCaptcha on a forum post would be awful. I hope it never comes to that as most people who use this site don't create an account (though there are a surprising amount that do!) and it would make the posting experience from non-logged in users terrible.

    • pages don't seem to get hit. *knock on wood* An example (from my reply to Retna's post) was the subscription page that originally didn't have one and got hit but after adding one, it's no longer hit. I'm guessing this small site isn't worth the resources and it's like having an alarm system sign... more
    • Building your own thing has it's benefits... - Retna, Fri Apr 02 2021 12:10pm
      I'm sure lots of bots are programmed to look for WordPress boilerplate and HTML structure. But how many surf the web looking for a form that has an field name "answer" and somehow know to fill out that field using the math question nearby? And to do that on a small website like this where there's ... more
      • You're right. This site gets absolutely hammered by bots- Erik_, Sat Apr 03 2021 1:46am
        • I wonder if banning form/query strings that don't return - Puckdropper, Sat Apr 03 2021 2:27am
          anything you want (like A=whatever) would be a good start. I remember seeing a technique published years ago where a form element was hidden (and thus the user would never see it) and its presence or absence was looked for when the form submitted. That only worked so long, though, as bots learned ... more
          • With the message board I'm using SpringMVC which... - Erik_, Tue Apr 06 2021 2:42pm
            I have to specify which query params I want to accept (if any) in the method's parameters. So, if a user enters "?howdy=yall" and I'm not set up to look for a query param named "howdy", it gets completely ignored which is nice. Example for the RSS controller's mapping to get the RSS feed of a m... more
  • Click here to receive daily updates
    "Forces act when not restrained" - Puckdropper