Thinking again about disabling all support for .php requests in Micro.blog. It’s needless traffic, thousands and thousands of requests a day that go nowhere, looking for WordPress exploits. There’s legitimate use for redirecting old URLs, but it’s very rare that an old blog even exposes .php URLs.
@manton Maybe you could start by disabling URIs that *end* in .php, so old redirects using something more common for a time without clean URLs like ‘/index.php/hello-world’ would still be unaffected for the time being, and reevaluate again later if you have those patterns still in use. (Added benefit of being easy to regex, too.)
@manton It is wild how many requests come in to *.php. Not being able to easily block those sooner than Rails (middleware) is definitely a downside for us being on a hosting service like Render.
@bjhess It’s crazy and a little sad. I have essentially a list of disallowed URL paths in Micro.blog — like /wp-admin or whatever — where I cut those requests off before they bog down any other processing, but I’d like to do more to get rid of them early.
@manton Yeah! We’ve got some Rack::Attack regex action going, ala:
req.path.match(/\.php[2-9]?$/i)
Earlier the better for sure!
@manton Agree it’s sad that it’s necessary but is totally worth doing as early as possible (along with any other obviously bogus traffic). I’ve worked on systems that did exactly this and it was surprising how effective basic matching rules can be at cutting down bot traffic.
@manton Also, if you have something that’s really lightweight at connection handling, you could do something like just never respond to the requests. That might tie up more resources on their end and slow down that traffic somewhat. Their client would probably be waiting until timeouts hit rather than immediately moving on to the next exploit to check for.
@manton For the previous 2 years I’ve had WordFence installed on my WordPress blog. My blog has like 20 readers, and maybe 10 views a day to put things into perspective. I was blown away by the attempts from all over the planet to look at the site. I blocked every country by the US and UK. There were contant attempts from everywhere.
