Welcome to Episode 6 of Ask Paulie Anything.
Today, instead of answering a question directly sent to me for the purposes of this video, I’m going to answer a support ticket that was sent to us a few days ago. We’re going to discuss how you should be thinking about your traffic and “bots”.
The ticket is:
I recently noticed I’ve been getting a lot of bot hits to
admin-ajax.php
that returns a 200 code. Had over 40 hits to that from the same IP a few days ago in rapid succession.Is there anything Shield can do about this?
I thought Shield would pick up on things like this and implement a block, but my logs show it’s been going on completely unchallenged.
[0:44] – Bot Hits, 200 Code… How To Fix A Problem Like This
There’s a couple of things we really need to address here, that make it difficult to fix a problem like this. There are a lot of assumptions built into this question.
Here’re some of the assumptions:
I recently noticed I’ve been getting a lot of bot hits.
“Bot hits”? That sounds like you already know that you’re getting hit by bots. Do we know that they’re bots? Instead of saying “bots”, you could just say “traffic”.
Traffic means that you at least have an open mind on what this could be. But, if you say “bot hits” then that’s the lens through which you’re trying to solve this problem.
… to admin-ajax.php that returns a 200 code…
The “200 code” is referring to HTTP code and if you get 200 code, that means that the request and the response were successful.
With admin-ajax.php
a 200 code typically means that there’s a plugin, that there’s something on the WordPress site that has received that request, handled it and responded successfully. Otherwise, you wouldn’t get 200 code.
Had over 40 hits to that from the same IP a few days ago in rapid succession.
“40 hits” is nothing. We call them “hits” here because we think we’re getting hit by bots, but actually, 40 requests is not a lot.
… in rapid succession…
How rapid? How often do these come? Did they all happen within 60 sec, 1 sec, an hour, or, imagine you get 40 hits a day. What’s the problem with that?
If it was within an hour, that’s less than 1 in a min. Is that really a bot?
[2:21] – Is There Anything Shield Can Do About This?
No. It’s not Shield’s purpose to just block traffic. Shield’s purpose is to investigate a request and decide whether or not it’s legitimate. In this case, it was legitimate.
After a little bit back and forth with the client, we learned that those 40 hits occurred within 30 min and that’s just over 1 per minute.
If I was writing a bot for the purpose of automation, I would write it to be a little bit more efficient than that. So, it’s clear to me that this is not a bot.
[2:57] – Is This Actually A Security Issue?
I decided to go to the customer’s website and I found that when you right click on the page, it sends 2 ajax requests.
This points to me another core security issue, that people don’t understand what’s going on on their own sites.
If you don’t know that when you right click on the page that it’s going to send at least 1 ajax request, then you need to dig into your plugins a little bit further. You need to vet what exactly is going on on your site.
This is so that when you do get traffic in your logs you’re able to understand perhaps where that traffic is coming from, why it’s reaching your server, rather than “I get a lot of hits, it must be a security issue. Getting attacked by bots, why is Shield not protecting me?”
What Is Shield Doing?
Shield is doing its job but you should do your job too by vetting your plugins, your themes… making sure you know what every single plugin is doing on your site.
You also have to ask the question:
[3:55] – What Is The Purpose Of Bots?
Bots are there because they’re robots. They’re automated and designed to do the repetitive tasks quickly.
“40 requests in 30 min” is a repetitive task but it’s not very quick. So, what’s the point of writing a bot to do that? What is the purpose of the bot to mimic that “right click” to send you ajax requests that are legitimate? What purpose would that bot have?
So, my advice is:
Dig into your site, find out what’s going on, try to understand all aspects of your site, all the plugins that you’re using.
Then, as you do that, you’ll build a bigger picture of your site, how it supposes to operate, what’s normal and what’s not normal.
Thank You! Comments, Questions?
If you have any questions about this topic or anything uncovered in the previous videos, feel free to send me a question by using the form below.
And as always, if you’re on YouTube, click the “Subscribe” button. If you’re on Facebook, click to “Like” or share. Do all of that lovely stuff. 🙂