[wp-trac] [WordPress Trac] #30742: admin-ajax.php should only execute for browser traffic
WordPress Trac
noreply at wordpress.org
Wed Dec 17 08:26:18 UTC 2014
#30742: admin-ajax.php should only execute for browser traffic
----------------------------+-----------------------------
Reporter: WebsitesbyMark | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 4.0.1
Severity: normal | Keywords:
Focuses: |
----------------------------+-----------------------------
At the moment admin-ajax.php is used for a variety of tasks in WordPress
and plugins.
This means if a site is attacked admin-ajax.php can be flooded with
requests which can be enough to take a site offline.
Normally with these sorts of attack the requests wont come from a browser
and therefore if WordPress looked to detect access from a browser before
executing the code it would stop a lot of the issues that are happening at
the moment.
My clients site was taken offline for a week recently during a large
attack. The hosting company identified the issue as the admin-ajax.php
being hammered.
We had installed WordFence, Super cache, heartbeat control and CloudFlare
without much luck. (without cloudflare the site refused to stay up, and
would only stay up in under attack mode)
Within cloud flare we managed to configure so cloudflare would only allow
browser based traffic to *domain.com/wp-admin/* this immediately solved
the issue.
Thinking about it only browsers can utilise ajax therefore if it could be
rigged to only execute when there is browser traffic this would then be a
bit of a non issue.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/30742>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list