New to the community? Start here

[Defender] Site was down.

Got error 500, but it’s fixed now. Please check the logs and advice about further actions.

Fri, 24 Jan 2020 5:40:40
More Defender Pro discussions
Defender Pro
  • Adam
    • Support Gorilla

    Hi revalvar

    I hope you’re well today and thank you for reaching out to us!

    I checked the site and logs. The site appears to be clean now so that’s a good news. I see that there’s Defender installed and active and the domain is directed through CloudFlare so that’s good as well.

    As for what happened – it’s difficult to say exactly as we can only “estimate” based on available logs but it actually look like quite a typical (unfortunately) bot attack on site. Pretty much every site that’s publicly available on the web sooner or later gets “picked up” by some bot networks that start to attempt to break in.

    It’s very easy and fast to detect whether its a WordPress-based site or not (no matter what precautions you take to hide that) so knowing that such bot network would start “attacking” login trying to login using leaked lists of logins passwords (“leaked” as in lists of leaked credentials from various services that are around the web – there are literally tons of those available) and/or to brute-force password. Sometimes that works.

    But there’s also another way that’s very common – it’s just exploring/checking any possible known vulnerabilities (e.g. calling some specifically prepared URLs to inject malicious code to the site).

    This is all automated and in most cases it’s not really targeted at the specific site – it’s just bot network that brutally tries to “break in” into whatever site it can. Often an outdated plugin or theme can be a “wide-open gate” to the site so it’s critically important to keep everything up to date.

    So what to do to further protect the site?

    1. make sure that site’s always kept fully up to date
    2. it’s already directed through CloudFlare so that’s a good thing
    3. make sure that there’s no “inactive” users, especially “admin” level
    4. keep passwords strong
    5. I’d strongly recommend enabling (and setting it to forced/required) Two-Factor Auth in Defender as it will add an additional, very strong “barrier” to login
    6. Use login masking to change default login URL (Defender Pro -> Advanced Tools -> Mask Login Area)
    7. remove all unused plugins and themes from site (not just disable but remove)
    8. review plugins and see if there are any that are not really necessary and could possibly be removed; sometimes there are plugins that are “leftovers” from testing or, for example, they do something very simple that’s not required on site or can be replaced with a small line of CSS or other custom code – it’d be good to remove such plugins if they are there

    Keep all your e-mails secure and make sure that all your devices that you’re using to manage site are “clean” (no viruses and other malicious software) – this is actually very important even though not directly related to WordPress.

    I’d also suggest scheduling Defender “File Scans” to make sure that the site is regularly checked so you could react fast if anything is detected.

    Then there’s also IP blocking. I see that you already got IP Lockouts feature enabled in Defender so that’s good but please review the lockouts log there and you might want to blacklist all the IPs listed there that

    – you don’t recognize
    – and they either tried to login to the site (especially using logins that you don’t recognize as well) and/or tried to visit some “weird” URLs (such as e.g. URLs pointing directly to some WP core files or theme/plugin files or URLs that include some “strange” complex parameters)

    For now, you might also want to keep Audit Logging enabled to keep an eye on user activity on site.

    Best regards,
    Adam