berbeates

Hello Gerroald,
Thank you for your quick reply! This hit wasn’t blocked by Wordfence, but caught in a 404 log (from another plugin). Since the vast majority of 404 errors come from attempted attacks, I use this log to manually include in the Wordfence block list.

I usually delete these 404 logs once I update Wordfence, so I don’t have the full details. I’ll keep an eye out and send more information if I see it again.

Thansk!
-Bernardo

Hi John,
Thanks for the reply. I contacted the hosting provider and they confirm that there is no proxy configuration for the server that hosts my site.
Looking through the logs, even though it’s the same IP, the value Referrer / User Agent changes.

The last two entries share IP, but these are the values for User Agent

==
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
—
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
==

Also, the behavior shows that it is crawling for pages on a previous version of the website, but are no longer present.

Do you have any suggestions on how to try to figure out where this traffic is coming from? Could it be the server itself that is looking for these files and directories?