: How can I stop a bot attack on my site? I have a site (built with wordpress) that is currently under a bot attack (as best I can tell). A file is being requested over and over, and the

@Hamaas447

Simply do the 301 redirect to fbi site.

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http(s)?://(www.)?turkyoutube.org.$ [NC]
RewriteRule ^(.)$ www.fbi.gov [R=301,L]

Vote Up Vote Down

@Hamaas447

I use DenyHosts[1] on all my servers. DenyHosts disallow all IPs which failed to login after n times. You can also send notifications. So you have a great overview from which ips/hosts the logins came; and it also have a web update function and other great features. But it's still very simple to install.

An other method is to disallow all IP Ranges/Blocks (in e.g.) from China or other countries which are not your targeted group. This can be done with online "Blacklists" or just with the hosts.deny file (like DenyHosts).

[1] denyhosts.sourceforge.net/

Vote Up Vote Down

@Rivera981

How about a little corbomite maneuver?

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http(s)?://(www.)?turkyoutube.org.*$ [NC]
RewriteRule ^(.*)$ 127.0.0.1/ [R=401,L]


Note, untested but should redirect requests from them back to themselves with a 401 Not Authorized status code. That is, if the bot even handles redirects (very unlikely), but it will still see the status code. A 404 status code may be more effective. Either one should tell the bot that it should probably give up.

The rule you posted in comments is also more than adequate if you broaden the expression to match the host a little more. I use something close (as far as the actual rule) to block user-agents matching libwww-perl:

RewriteCond %{HTTP_USER_AGENT} libwww-perl.*
RewriteRule .* - [F,L]

Vote Up Vote Down

@Caterina187

Aside from the IP blocking, I would scrutinize the files that are being requested. It's a fairly common thing for open-source systems such as WordPress and Joomla to be exploited, which is one reason why they're frequently updated. If you've neglected a few updates, it's possible that someone has penetrated your site.

I've had that scenario happen to me twice, once on a testing site that never got fully deployed (but was left in place) and another time on a company website where an employee with valid access "snuck" a phpBB on for his family to communicate--updates would have prevented the issues. In both cases, the problem was found with analytics as it seems might be true in your case. The Joomla attack injected javascript that caused the user's browser to load software, while the latter allowed the hacker to upload files to the server that were part of a distributed "alternate" google site that lead the user to p*rn every time. Though it's not entirely a common hack, check your DB users table, just in case.

I certainly don't mean to cause alarm, but it never hurts to take the time to dig through your site once in a while to know exactly what's going on. Sometimes you'll be surprised what you find.

Vote Up Vote Down

@Angela700

If the attack is coming from the same IP number each time (or a small set of IP numbers) you should block that IP number in your firewall. That should not cost any bandwidth or load on your web server.

If you are hosting it on a Linux machine that you have root access to this article explains how to do this.

Vote Up Vote Down