Bruteforcing admin-ajax.php ?

I seem to get a continual stream of sites trying to set a http POST to a particular admin file for WordPress. I have a locked down wp-admin area on my WordPress sites to stop hackers trying to brute force guess passwords to the admin area. So anyone trying to access my admin pages will get a http error 403 - Denied.

What is interesting is how many people are trying to access

/wp-admin/admin-ajax.php 

with a http POST. Even googlebot has a good try getting something useful from the URL.

Strange.

I have checked webmaster console it my site crawl looks ok, so the googlebot entries have me confused. The rest are just hackers I think.

Here are some examples

88-106-75-24.dynamic.dsl.as9105.com - - [01/Mar/2016:07:18:59 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 403 48 "https://rosacea-support.org/articles/cleansers" "Mozilla/5.0 (iPad; CPU OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13D15 Safari/601.1"
cpe185933f89386-cm185933f89383.cpe.net.cable.rogers.com - - [01/Mar/2016:07:19:02 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 403 48 "https://rosacea-support.org/favourite-over-the-counter-treatments.html" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
194-83-93-28.qmu.ac.uk - - [01/Mar/2016:07:19:09 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 403 48 "https://rosacea-support.org/eucerin-redness-relief-licochalcone.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13D15 Safari/601.1"
crawl-66-249-75-233.googlebot.com - - [01/Mar/2016:07:22:09 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 403 48 "https://rosacea-support.org/soolantra-before-and-after-pictures.html?relatedposts_hit=1&relatedposts_origin=5174&relatedposts_position=0" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

It seems that this script is being used for heartbeat polling by wp-admin scripts to lock edit pages, synchronise draft saving etc. So I need it when I am logged in, but why are all those sites trying to heart beat poll me ?

[update] From Brute Force Attacks

If your theme or plugins use AJAX, you will most likely need to add an additional group of settings to your .htaccess so that functionality continues to work:

# Allow access to wp-admin/admin-ajax.php
<Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any
</Files>

Save the file and upload it to your wp-admin folder.

So something in my theme or plugins needs an ajax call to the admin area it seems. If I could easily change my IP address I could use Chrome’s console to see who is asking for the POST request but at the moment I have no idea. The log file is nice an green now though so that bit is fixed.

Advertisements
Bruteforcing admin-ajax.php ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s