-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Wordpress]: Bot attack from own instance/misconfigured Firewall? #1470
Comments
Wish somebody could reply... :( |
I'm having the similar problems, every 8 to 10 hours the server is inaccessible (can't login via ssh or anything). |
I suggest you take a look at these guides to know if there is any performance issue or if there is a bot/attacker accessing your site with malicious intentions https://docs.bitnami.com/general/faq/troubleshooting/troubleshoot-server-performance/ You will also need to review the PHP's log file to see if there is any error there. You can find a related thread here: Finally, there are security plugins like Wordfence that will probably help you improve the security and performance of your site. |
ps -e -orss=,args= | sort -b -k1,1n | pr -TW$COLUMNS
|
You have a huge number of PHP-FPM processes and that means that there are a lot of connections. I do not know why you own IP is the one generating that many requests by I think that a plugin is doing that. Have you installed one recently? I suggest you install Wordfence to analyze your system and look for malicious code. I also suggest you disable the plugins to confirm the issue is solved. You can enable them one by one later to find the culprit. |
It seems that the issue is ANY caching plugin. Wp-Rocket, Redis Object Cache and LiteSpeed Cache all result in a high number of connections to the database being generated. Since it's three caching plugins that end up manifesting the same issue, would it be reasonable to assume that the problem aren't actually the plugins, but some other misconfiguration? |
A caching plugin shouldn't be generating that big amount of requests. They should generate a request when necessary. Please ask the developers of those plugins to get more information. |
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback. |
Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary. |
Platform
AWS
bndiagnostic ID know more about bndiagnostic ID
5d578917-5b8e-3928-df71-4f8a50ac8c35
bndiagnostic output
bndiagnostic was not useful. Could you please tell us why?
The link guides seem very general and having looked at them we are none the wiser as to how to fix the issue(s)
Describe your issue as much as you can
You'll have to excuse us as we know very very little about all this. We've been running a community website for 50+ songwriters via AWS Lightsail using Bitnami Wordpress. Starting a few days ago we seem to have been under a bot attack which effectively took out website down, maxing out our database:
We ran the diagnostic tool and that also suggested that 'A high number of incoming requests originate from one or more unique IP addresses. This could indicate a bot attack.' However when running the relevant suggested command "tail -n 10000 access_log | awk '{print $1}'| sort| uniq -c| sort -nr| head -n 10" it returns on top our own instance: "8765 35.176.XX.XXX".
Puzzlingly the diagnostic tool also flagged up that Server ports 22, 80 and/or 443 are not publicly accessible. I can see that these are indeed the ports that are specified in AWS Lightsail under IPv4 Firewall, but presumably we don't want to have these publicly accessible as that would be a massive security risk, would it not?
Something seems to have gone wrong, but to repeat we know almost nothing about servers, etc. and have no idea how to fix the issue(s). Any help would be greatly appreciated!
The text was updated successfully, but these errors were encountered: