I have a very strange situation. Seems thta around March 4th, my site all of a sudden started taking on a ton of hackers trying to login to my Joomla site as if it were wordpress (i.e. going to /wp-login). Admin tools blocks it as it should and I have disabled 404 notifications (way too much noise as I'm getting around 100 attempts per day, up from 15-20). However, as these are likely bot-based, they try multiple times and as a result I see about 40-50 blacklist notifications per day. What's worrying me most is that this is causing me performance issues from both the processing of these and blocking them as well as a longer and more complex block list that is processed for every visit.
My value for auto blocking is 2 in 24 hours, block for 17 hours, permanently block after 2 - very broad. Do you have a suggestion to be more efficient on the system? Anything I can do to limit the auto block notifications that resulted from 404 attempts? I didn't see that - hopefully you can add it. I still log and review logs, but getting 50 messages of auto block is noisy and I fear a real notice will get lost.
Attaching a screen shot of the graph showing the WAF exceptions. Of those show, 99% are 404.
My value for auto blocking is 2 in 24 hours, block for 17 hours, permanently block after 2 - very broad. Do you have a suggestion to be more efficient on the system? Anything I can do to limit the auto block notifications that resulted from 404 attempts? I didn't see that - hopefully you can add it. I still log and review logs, but getting 50 messages of auto block is noisy and I fear a real notice will get lost.
Attaching a screen shot of the graph showing the WAF exceptions. Of those show, 99% are 404.
