{"id":1619156,"date":"2026-05-05T10:53:12","date_gmt":"2026-05-05T08:53:12","guid":{"rendered":"https:\/\/blog.wedos.com\/?p=1619156"},"modified":"2026-05-05T11:01:35","modified_gmt":"2026-05-05T09:01:35","slug":"jeden-den-s-wp-login-php-43-milionu-blokovanych-requestu-za-24-hodin","status":"publish","type":"post","link":"https:\/\/blog.wedos.com\/cs\/jeden-den-s-wp-login-php-43-milionu-blokovanych-requestu-za-24-hodin","title":{"rendered":"Jeden den s wp-login.php: 4,3 milionu blokovan\u00fdch request\u016f za 24 hodin"},"content":{"rendered":"\n<p><code>wp-login.php<\/code> je jeden z nejzn\u00e1m\u011bj\u0161\u00edch soubor\u016f ve WordPress. P\u0159es n\u011bj se standardn\u011b p\u0159ihla\u0161ujete do administrace, tak\u017ee je dlouhodob\u011b obl\u00edben\u00fdm c\u00edlem brute force \u00fatok\u016f. Poj\u010fme se pod\u00edvat na data z log\u016f WEDOS Global Protection.<\/p>\n\n\n\n<!--more-->\n\n\n\n<p>Pro \u00fa\u010dely dne\u0161n\u00edho \u010dl\u00e1nku, jsme vybrali pouze blokovan\u00e9 requesty, kter\u00e9 v URL obsahovaly <code>wp-login.php<\/code>  a pouze z dom\u00e9n, kter\u00e9 jsou chr\u00e1n\u011bn\u00e9 slu\u017ebou WEDOS Global Protection. Data jsou za 24 hodin &#8211; pond\u011bl\u00ed 04.05.2026.<\/p>\n\n\n\n<p>Mo\u017en\u00e1 to n\u011bkter\u00e9 z v\u00e1s p\u0159ekvap\u00ed, ale \u00fato\u010dn\u00edci \u010dasto v\u016fbec ne\u0159e\u0161\u00ed, jestli na c\u00edlov\u00e9 dom\u00e9n\u011b WordPress opravdu b\u011b\u017e\u00ed. Prost\u011b to zkus\u00ed. A kdy\u017e to nevyjde v hlavn\u00edm adres\u00e1\u0159i, zkus\u00ed jinou cestu. A potom dal\u0161\u00ed. A dal\u0161\u00ed.<\/p>\n\n\n\n<p>Za 24 hodin jsme v \u010dist\u011b blokovan\u00e9m provozu vid\u011bli:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>133 523 host\u016f<em>*<\/em><\/li>\n\n\n\n<li>51 aktivn\u00edch PoP lokalit, p\u0159es kter\u00e9 provoz \u0161el<\/li>\n\n\n\n<li>9 923 unik\u00e1tn\u00edch IP adres<\/li>\n\n\n\n<li>4 362 672 blokovan\u00fdch request\u016f<\/li>\n<\/ul>\n\n\n\n<p><em> * nemus\u00ed se jednat o skute\u010dnou dom\u00e9nu anebo subdom\u00e9nu, \u00fato\u010dn\u00edci to r\u00e1di zkou\u0161\u00ed<\/em><\/p>\n\n\n\n<p>A to je jen provoz, kter\u00fd byl zablokovan\u00fd. \u0158ada z\u00e1kazn\u00edk\u016f m\u00e1 nav\u00edc ochranu <code>wp-login.php<\/code>  vypnutou \u010di omezenou, p\u0159\u00edpadn\u011b maj\u00ed na whitelistu \u00fato\u010d\u00edc\u00ed IP adresy. Tyto v statistik\u00e1ch tedy nejsou. Re\u00e1ln\u011b pokud bychom blokovali v\u0161e p\u0159ibylo by dal\u0161\u00edch zhruba 500 tis\u00edc request\u016f.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Jeden den blokovan\u00e9ho provozu na <code>wp-login.php<\/code><\/h2>\n\n\n\n<p>Na prvn\u00edm grafu je vid\u011bt sou\u010det blokovan\u00fdch request\u016f po t\u0159icetiminutov\u00fdch intervalech.<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;69ff1de47d31b&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"69ff1de47d31b\" class=\"wp-block-image size-large wp-lightbox-container\"><img decoding=\"async\" width=\"1024\" height=\"315\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" data-src=\"https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/05\/image-1024x315.png\" alt=\"\" class=\"wp-image-1619170 lazyload\" data-srcset=\"https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/05\/image-1024x315.png 1024w, https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/05\/image-300x92.png 300w, https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/05\/image-768x236.png 768w, https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/05\/image-1536x473.png 1536w, https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/05\/image.png 1907w\" data-sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 1024px; --smush-placeholder-aspect-ratio: 1024\/315;\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Zv\u011bt\u0161it\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><figcaption class=\"wp-element-caption\">Blokovan\u00e9 requesty obsahuj\u00edc\u00ed <code>wp-login.php<\/code> za 24 hodin. Graf ukazuje sou\u010det blokovan\u00fdch request\u016f v t\u0159icetiminutov\u00fdch intervalech nap\u0159\u00ed\u010d weby chr\u00e1n\u011bn\u00fdmi p\u0159es WEDOS Global Protection.<\/figcaption><\/figure>\n\n\n\n<p>Na prvn\u00ed pohled je tam vid\u011bt jedna v\u00fdrazn\u00e1 \u0161pi\u010dka kolem poledne. To byl velk\u00fd n\u00e1r\u016fst blokovan\u00e9ho provozu, kter\u00fd na \u00farovni celkov\u00e9ho grafu vypad\u00e1 jako jeden dominantn\u00ed brute force \u00fatok.<\/p>\n\n\n\n<p>Jen\u017ee kdy\u017e se na data pod\u00edv\u00e1me podrobn\u011bji, tak je vid\u011bt, \u017ee to nen\u00ed jen jeden jednoduch\u00fd typ \u00fatoku.<\/p>\n\n\n\n<p>To je u podobn\u00fdch dat d\u016fle\u017eit\u00e9. Kdy\u017e se \u010dlov\u011bk d\u00edv\u00e1 jen na agregovan\u00fd graf, snadno z\u00edsk\u00e1 pocit, \u017ee sta\u010d\u00ed naj\u00edt jeden probl\u00e9m a napsat jedno pravidlo. Jen\u017ee v re\u00e1ln\u00e9m provozu se v\u011bt\u0161inou m\u00edch\u00e1 v\u00edce v\u011bc\u00ed najednou.<\/p>\n\n\n\n<p>N\u011bco je \u010dist\u00fd brute force. N\u011bco je skenov\u00e1n\u00ed. N\u011bco je hled\u00e1n\u00ed WordPressu. N\u011bco jsou pokusy trefit nestandardn\u00ed cestu. N\u011bco je provoz, kter\u00fd u\u017e narazil na rate limit. A n\u011bco je obecn\u011b podez\u0159el\u00e9 chov\u00e1n\u00ed, kter\u00e9 ned\u00e1v\u00e1 smysl \u0159e\u0161it izolovan\u011b jen podle jedn\u00e9 URL.<\/p>\n\n\n\n<p>WEDOS Global Protection obsahuje v\u00edce ne\u017e 100 pravidel. Des\u00edtky z nich jsou dynamick\u00e9 a p\u0159izp\u016fsobuj\u00ed se aktu\u00e1ln\u00edmu provozu i chov\u00e1n\u00ed \u00fato\u010dn\u00edka. K tomu se p\u0159id\u00e1vaj\u00ed r\u016fzn\u00e9 rate limity, kter\u00e9 sleduj\u00ed chov\u00e1n\u00ed konkr\u00e9tn\u00ed IP adresy, provoz na konkr\u00e9tn\u00ed dom\u00e9nu, JA4\/JA4H fingerprinty a dal\u0161\u00ed sign\u00e1ly. V\u00fdsledkem je, \u017ee robot hledaj\u00edc\u00ed zranitelnosti m\u016f\u017ee ud\u011blat p\u00e1r pokus\u016f na n\u011bkolika webech, ale na dal\u0161\u00ed tis\u00edce u\u017e se nedostane.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Ne\u0161lo jen o brute force<\/h2>\n\n\n\n<p>Druh\u00fd graf ukazuje rozpad podle d\u016fvod\u016f blokace.<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;69ff1de47db97&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"69ff1de47db97\" class=\"wp-block-image size-large wp-lightbox-container\"><img decoding=\"async\" width=\"1024\" height=\"318\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" data-src=\"https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/05\/image-1-1024x318.png\" alt=\"\" class=\"wp-image-1619188 lazyload\" data-srcset=\"https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/05\/image-1-1024x318.png 1024w, https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/05\/image-1-300x93.png 300w, https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/05\/image-1-768x239.png 768w, https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/05\/image-1-1536x477.png 1536w, https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/05\/image-1.png 1912w\" data-sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 1024px; --smush-placeholder-aspect-ratio: 1024\/318;\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Zv\u011bt\u0161it\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><figcaption class=\"wp-element-caption\">Skl\u00e1dan\u00fd sloupcov\u00fd graf blokovan\u00fdch request\u016f podle d\u016fvod\u016f blokace. Nejv\u011bt\u0161\u00ed \u010d\u00e1st tvo\u0159\u00ed r\u016fzn\u00e9 typy signatur, rate limit\u016f, scanner detekc\u00ed a brute force login pokus\u016f.<\/figcaption><\/figure>\n\n\n\n<p>Za cel\u00fd den vypadaly nejv\u011bt\u0161\u00ed d\u016fvody blokace takto:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>D\u016fvod blokace<\/th><th>Requesty<\/th><\/tr><\/thead><tbody><tr><td>Detekov\u00e1na \u00fato\u010dn\u00ed signatura na citliv\u00fd soubor WordPress<\/td><td>669 103<\/td><\/tr><tr><td>Brute force \u00fatok<\/td><td>538 644<\/td><\/tr><tr><td>Zn\u00e1m\u00fd scanner zranitelnosti podle JA4 signatury<\/td><td>514 441<\/td><\/tr><tr><td>Rate limit (IP na greylistu)<\/td><td>333 045<\/td><\/tr><tr><td>Dosa\u017een hodinov\u00fd limit pro greylistovan\u00e9 IP p\u0159es port 80<\/td><td>262 403<\/td><\/tr><tr><td>Vysok\u00fd rate limit, posl\u00e1no PoW challenge<\/td><td>248 405<\/td><\/tr><tr><td>Podez\u0159el\u00fd GET request na citliv\u00fd WP soubor<\/td><td>201 714<\/td><\/tr><tr><td>P\u0159ekro\u010den\u00ed rate limityu<\/td><td>117 753<\/td><\/tr><tr><td>Podez\u0159el\u00e1 JA4 signatura, posl\u00e1no PoW challenge<\/td><td>83 085<\/td><\/tr><tr><td>Podez\u0159el\u00fd sign\u00e1l v GET request na citliv\u00fd WP soubor<\/td><td>76 895<\/td><\/tr><tr><td>P\u0159ekro\u010den limit na IP za 1 vte\u0159inov\u00fd interval (IP na p\u0159\u00edsn\u011bj\u0161\u00edm greylistu)<\/td><td>38 118<\/td><\/tr><tr><td>Nepou\u017e\u00edvan\u00fd useragent<\/td><td>31 155<\/td><\/tr><tr><td>Podez\u0159el\u00e1 signatura v GET po\u017eadavku (generick\u00fd web)<\/td><td>4 073<\/td><\/tr><tr><td>Dal\u0161\u00ed v\u00edce jak stovka r\u016fzn\u00fdch pravidel a ratelimit\u016f<\/td><td>1 243 838<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Tady je dob\u0159e vid\u011bt, pro\u010d se na podobn\u00fd provoz ned\u00e1 d\u00edvat jen jako na &#8222;\u00fatok na WordPress login&#8220;.<\/p>\n\n\n\n<p>Ano, \u010d\u00e1st provozu jsou brute force pokusy. Ale velk\u00e1 \u010d\u00e1st je n\u011bco jin\u00e9ho (zvl\u00e1\u0161t\u011b kdy\u017e na webu \u017e\u00e1dn\u00fd WordPress nen\u00ed). Nem\u016f\u017eete je prost\u011b tolerovat a nech\u00e1vat si zbyte\u010dn\u011b p\u0159et\u011b\u017eovat servery.  V\u0161e prov\u011b\u0159ujeme a hled\u00e1me hlavn\u011b scannery zranitelnost\u00ed a podez\u0159el\u00e9 GET requesty. <\/p>\n\n\n\n<p>Ale zp\u011bt k WordPress. V praxi to znamen\u00e1, \u017ee jeden \u00fato\u010dn\u00fd sc\u00e9n\u00e1\u0159 m\u016f\u017ee vypadat t\u0159eba takto:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Bot zkus\u00ed naj\u00edt <code>wp-login.php<\/code>.<\/li>\n\n\n\n<li>Vyzkou\u0161\u00ed v\u00edce cest.<\/li>\n\n\n\n<li>Pokud n\u011bco odpov\u00edd\u00e1, za\u010dne pos\u00edlat dal\u0161\u00ed requesty.<\/li>\n\n\n\n<li>Pokud najde login formul\u00e1\u0159, m\u016f\u017ee p\u0159ej\u00edt na POST.<\/li>\n\n\n\n<li>P\u0159i vy\u0161\u0161\u00ed aktivit\u011b naraz\u00ed na rate limit.<\/li>\n\n\n\n<li>Podle chov\u00e1n\u00ed klienta, TLS fingerprintu, HTTP fingerprintu nebo dal\u0161\u00edch znak\u016f m\u016f\u017ee spadnout i do jin\u00fdch pravidel. \u010casto se tak na <code>wp-login.php<\/code> ani nemus\u00ed dostat. <\/li>\n<\/ol>\n\n\n\n<p>Na grafu potom nevid\u00edme jeden \u00fatok. Vid\u00edme sm\u011bs automatizovan\u00e9ho provozu, kter\u00fd se v r\u016fzn\u00fdch f\u00e1z\u00edch zachyt\u00e1v\u00e1 r\u016fzn\u00fdmi \u010d\u00e1stmi ochrany.<\/p>\n\n\n\n<p>U brute force \u00fatok\u016f se b\u011b\u017en\u011b pou\u017e\u00edvaj\u00ed rate limity. Jen\u017ee pro\u010d \u00fato\u010dn\u00edka nechat ud\u011blat n\u011bkolik zbyte\u010dn\u00fdch pokus\u016f, kter\u00e9 zat\u011b\u017euj\u00ed server, kdy\u017e jej m\u016f\u017eeme odhalit d\u0159\u00edve podle nepou\u017e\u00edvan\u00e9ho User-Agentu, JA4\/JA4H fingerprintu nebo jin\u00e9ho podez\u0159el\u00e9ho sign\u00e1lu?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">GET hled\u00e1, POST zkou\u0161\u00ed<\/h2>\n\n\n\n<p>Zaj\u00edmav\u00e9 je i rozlo\u017een\u00ed podle HTTP metod.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Metoda<\/th><th>Requesty<\/th><th>Unik\u00e1tn\u00ed IP<\/th><\/tr><\/thead><tbody><tr><td>GET<\/td><td>2 785 506<\/td><td>6 397<\/td><\/tr><tr><td>POST<\/td><td>1 535 106<\/td><td>5 469<\/td><\/tr><tr><td>HEAD<\/td><td>111<\/td><td>68<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>GET request\u016f bylo za den v\u00fdrazn\u011b v\u00edce ne\u017e POST request\u016f.<\/p>\n\n\n\n<p>To odpov\u00edd\u00e1 tomu, jak podobn\u00e9 automatizovan\u00e9 \u00fatoky v\u011bt\u0161inou funguj\u00ed. GET je \u010dasto f\u00e1ze hled\u00e1n\u00ed. Bot si ov\u011b\u0159uje, jestli dan\u00e1 cesta existuje, jestli server odpov\u00edd\u00e1, jestli vrac\u00ed n\u011bco zaj\u00edmav\u00e9ho a jestli m\u00e1 smysl pokra\u010dovat d\u00e1l.<\/p>\n\n\n\n<p>POST u\u017e je zaj\u00edmav\u011bj\u0161\u00ed. U <code>wp-login.php<\/code> typicky znamen\u00e1, \u017ee se n\u011bkdo pokou\u0161\u00ed n\u011bco odeslat do p\u0159ihla\u0161ovac\u00edho formul\u00e1\u0159e. Tedy nap\u0159\u00edklad kombinaci u\u017eivatelsk\u00e9ho jm\u00e9na a hesla. Ale m\u016f\u017ee to b\u00fdt i n\u011bco jin\u00e9ho. <\/p>\n\n\n\n<p>HEAD request\u016f bylo minimum. V t\u011bchto datech nehraj\u00ed prakticky \u017e\u00e1dnou roli.<\/p>\n\n\n\n<p>Tady je dobr\u00e9 p\u0159ipomenout jednu v\u011bc. Kdy\u017e n\u011bkdo vid\u00ed miliony request\u016f na <code>wp-login.php<\/code>, nemus\u00ed to automaticky znamenat miliony pokus\u016f o zad\u00e1n\u00ed hesla. \u010c\u00e1st provozu je samotn\u00e9 hled\u00e1n\u00ed. \u010c\u00e1st je ov\u011b\u0159ov\u00e1n\u00ed. \u010c\u00e1st jsou scannery. A a\u017e \u010d\u00e1st jsou skute\u010dn\u00e9 pokusy o login.<\/p>\n\n\n\n<p>I tak je to ale probl\u00e9m. Proto\u017ee i samotn\u00e9 hled\u00e1n\u00ed zat\u011b\u017euje infrastrukturu. Request mus\u00ed p\u0159ij\u00edt, mus\u00ed se zpracovat, mus\u00ed se rozhodnout, co s n\u00edm, a ide\u00e1ln\u011b se nesm\u00ed dostat a\u017e na backend z\u00e1kazn\u00edka.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u00dato\u010dn\u00edci nehledaj\u00ed jen <code>\/wp-login.php<\/code><\/h2>\n\n\n\n<p>Nejv\u00edce request\u016f \u0161lo podle o\u010dek\u00e1v\u00e1n\u00ed na klasickou cestu (2 432 655 request\u016f):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/wp-login.php<\/code><\/pre>\n\n\n\n<p>To ale nen\u00ed cel\u00e9. V datech se objevovala i \u0159ada dal\u0161\u00edch cest:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/wp-includes\/images\/wp-login.php<br>\/wp-admin\/css\/wp-login.php<br>\/wp-includes\/css\/dist\/preferences\/wp-login.php<br>\/wp-admin\/wp-login.php<br>\/wp-admin\/js\/wp-login.php<br>\/.well-known\/acme-challenge\/wp-login.php<br>\/wp-content\/plugins\/classic-editor\/wp-login.php<br>\/wp-includes\/Requests\/library\/wp-login.php<br>\/wp-includes\/js\/imgareaselect\/wp-login.php<br>\/wp-includes\/l10n\/wp-login.php<br>\/wp-includes\/html-api\/wp-login.php<br>\/wp-admin\/css\/colors\/ocean\/wp-login.php<br>\/wp-content\/themes\/bltm\/wp-login.php<br>\/wp-includes\/certificates\/wp-login.php<br>\/wp-includes\/js\/tinymce\/skins\/lightgray\/img\/wp-login.php<br>\/wp-includes\/images\/media\/wp-login.php<br>\/js\/wp-login.php<br>\/wp-content\/plugins\/wp-login.php<br>\/wp-admin\/css\/colors\/midnight\/wp-login.php<\/code><\/pre>\n\n\n\n<p>Tohle je na cel\u00e9 v\u011bci mo\u017en\u00e1 nejzaj\u00edmav\u011bj\u0161\u00ed.<\/p>\n\n\n\n<p>Kdyby \u0161lo jen o pokus p\u0159ihl\u00e1sit se do WordPressu, \u010dlov\u011bk by \u010dekal hlavn\u011b <code>\/wp-login.php<\/code>. Jen\u017ee tady vid\u00edme i cesty, kter\u00e9 na prvn\u00ed pohled ned\u00e1vaj\u00ed smysl.<\/p>\n\n\n\n<p>Pro\u010d by n\u011bkdo hledal <code>wp-login.php<\/code> nap\u0159\u00edklad tady?<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/wp-admin\/css\/wp-login.php<\/code><\/pre>\n\n\n\n<p>Nebo tady?<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/.well-known\/acme-challenge\/wp-login.php<\/code><\/pre>\n\n\n\n<p>Jedno z pravd\u011bpodobn\u00fdch vysv\u011btlen\u00ed je, \u017ee v t\u011bchto p\u0159\u00edpadech \u00fato\u010dn\u00edci nehledaj\u00ed skute\u010dn\u00fd p\u0159ihla\u0161ovac\u00ed formul\u00e1\u0159 WordPressu. Hledaj\u00ed soubor pojmenovan\u00fd <code>wp-login.php<\/code>, kter\u00fd m\u016f\u017ee b\u00fdt ve skute\u010dnosti backdoor.<\/p>\n\n\n\n<p><code>wp-login.php<\/code> je zn\u00e1m\u00fd n\u00e1zev legitimn\u00edho WordPress souboru. Pr\u00e1v\u011b proto se m\u016f\u017ee hodit i \u00fato\u010dn\u00edk\u016fm. Kdy\u017e se jim poda\u0159\u00ed kompromitovat WordPress, mohou si do n\u011bj ulo\u017eit vlastn\u00ed soubor se stejn\u00fdm nebo podobn\u011b d\u016fv\u011bryhodn\u011b vypadaj\u00edc\u00edm n\u00e1zvem. Ne do hlavn\u00edho adres\u00e1\u0159e, kde by byl v\u00edce na o\u010d\u00edch, ale n\u011bkam hloub\u011bji do struktury webu. T\u0159eba mezi obr\u00e1zky, CSS, pluginy nebo jin\u00e9 soubory WordPressu.<\/p>\n\n\n\n<p>Z pohledu b\u011b\u017en\u00e9ho spr\u00e1vce webu to pak m\u016f\u017ee na prvn\u00ed pohled vypadat m\u00e9n\u011b podez\u0159ele. A z pohledu n\u011bkter\u00fdch bezpe\u010dnostn\u00edch pravidel m\u016f\u017ee b\u00fdt n\u00e1zev <code>wp-login.php<\/code> nav\u00edc problematick\u00fd t\u00edm, \u017ee jde o b\u011b\u017en\u00fd soubor WordPressu. N\u011bkter\u00e9 ochrany proto k podobn\u00fdm po\u017eadavk\u016fm mohou p\u0159istupovat opatrn\u011bji, aby nerozbily legitimn\u00ed p\u0159ihl\u00e1\u0161en\u00ed do administrace.<\/p>\n\n\n\n<p>\u00dato\u010dn\u00edci to v\u011bd\u00ed.<\/p>\n\n\n\n<p>Na WordPress dnes ve velk\u00e9m ne\u00fato\u010d\u00ed \u010dlov\u011bk ru\u010dn\u011b. D\u011blaj\u00ed to automatizovan\u00e9 skripty. Hledaj\u00ed zn\u00e1m\u00e9 zranitelnosti, zkou\u0161\u00ed slab\u00e1 hesla, testuj\u00ed pluginy, star\u00e9 instalace, \u0161patn\u00e1 opr\u00e1vn\u011bn\u00ed a zn\u00e1m\u00e9 cesty. Kdy\u017e se \u00fatok povede, malware si \u010dasto vytvo\u0159\u00ed perzistenci, tedy zp\u016fsob, jak se do webu dostat znovu i po \u010d\u00e1ste\u010dn\u00e9m odstran\u011bn\u00ed p\u016fvodn\u00ed zranitelnosti Typicky pr\u00e1v\u011b p\u0159es backdoor.<\/p>\n\n\n\n<p>A tady p\u0159ich\u00e1z\u00ed dal\u0161\u00ed zaj\u00edmav\u00e1 v\u011bc. Tyto backdoory potom nehled\u00e1 jen p\u016fvodn\u00ed \u00fato\u010dn\u00edk. Hledaj\u00ed je i dal\u0161\u00ed boti. Pokud je n\u011bkde na internetu u\u017e kompromitovan\u00fd WordPress s backdoorem, jin\u00fd \u00fato\u010dn\u00edk se ho m\u016f\u017ee pokusit naj\u00edt a p\u0159evz\u00edt.<\/p>\n\n\n\n<p>Jin\u00fdmi slovy: jeden \u00fato\u010dn\u00edk web napadne, druh\u00fd se pokus\u00ed vyu\u017e\u00edt jeho zadn\u00ed vr\u00e1tka.<\/p>\n\n\n\n<p>Z pohledu \u00fato\u010dn\u00edka to d\u00e1v\u00e1 smysl. Request je levn\u00fd. Kdy\u017e jich po\u0161le miliony, sta\u010d\u00ed mu velmi mal\u00e9 procento \u00fasp\u011bchu.<\/p>\n\n\n\n<p>Z pohledu ochrany je to ale p\u0159esn\u011b ten typ provozu, kter\u00fd nechceme pou\u0161t\u011bt d\u00e1l. Backend z\u00e1kazn\u00edka nem\u00e1 \u0159e\u0161it, \u017ee n\u011bkdo zkou\u0161\u00ed naj\u00edt soubor pojmenovan\u00fd <code>wp-login.php<\/code> v adres\u00e1\u0159i s obr\u00e1zky, CSS, pluginy nebo ACME challenge.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u010c\u00e1st provozu je koncentrovan\u00e1, ale po\u0159\u00e1d rozprost\u0159en\u00e1<\/h2>\n\n\n\n<p>Pod\u00edvali jsme se tak\u00e9 na ASN, ze kter\u00fdch blokovan\u00fd provoz p\u0159ich\u00e1zel.<\/p>\n\n\n\n<p>Nejv\u011bt\u0161\u00ed zdroje podle po\u010dtu request\u016f:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>ASN<\/th><th>Requesty<\/th><th>Unik\u00e1tn\u00ed IP<\/th><\/tr><\/thead><tbody><tr><td>AS31898<\/td><td>817 010<\/td><td>118<\/td><\/tr><tr><td>AS8075<\/td><td>432 664<\/td><td>151<\/td><\/tr><tr><td>AS41564<\/td><td>323 397<\/td><td>39<\/td><\/tr><tr><td>AS215930<\/td><td>295 653<\/td><td>13<\/td><\/tr><tr><td>AS206092<\/td><td>293 033<\/td><td>952<\/td><\/tr><tr><td>AS42708<\/td><td>172 741<\/td><td>66<\/td><\/tr><tr><td>AS14061<\/td><td>143 525<\/td><td>601<\/td><\/tr><tr><td>AS396356<\/td><td>123 007<\/td><td>395<\/td><\/tr><tr><td>nezji\u0161t\u011bno<\/td><td>118 301<\/td><td>1 516<\/td><\/tr><tr><td>AS154247<\/td><td>76 775<\/td><td>11<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>\u010c\u00e1st provozu byla siln\u011b koncentrovan\u00e1. N\u011bkter\u00e1 ASN poslala za den stovky tis\u00edc request\u016f. Z\u00e1rove\u0148 ale cel\u00fd provoz p\u0159ich\u00e1zel z 9 923 unik\u00e1tn\u00edch IP adres.<\/p>\n\n\n\n<p>Blokace cel\u00e9ho ASN m\u016f\u017ee v n\u011bkter\u00fdch p\u0159\u00edpadech pomoct. Ale ve sd\u00edlen\u00e9 infrastruktu\u0159e je to z\u00e1sah, kter\u00fd m\u016f\u017ee m\u00edt vedlej\u0161\u00ed dopady. V jednom ASN m\u016f\u017ee b\u00fdt \u00fato\u010dn\u00fd provoz, ale tak\u00e9 legitimn\u00ed u\u017eivatel\u00e9, firemn\u00ed s\u00edt\u011b, VPN, cloudov\u00e9 slu\u017eby, monitoring nebo r\u016fzn\u00e9 automatizovan\u00e9 syst\u00e9my.<\/p>\n\n\n\n<p>Proto je lep\u0161\u00ed pracovat s v\u00edce sign\u00e1ly najednou.  Nejen odkud request p\u0159i\u0161el, ale tak\u00e9 co p\u0159esn\u011b chce, jak \u010dasto to chce, jak se chov\u00e1, jak\u00fd m\u00e1 fingerprint, jak\u00fd m\u00e1 User-Agent, jestli opakuje stejn\u00e9 vzory, jestli se sna\u017e\u00ed p\u0159istupovat na citliv\u00e9 cesty a jestli u\u017e d\u0159\u00edve vykazoval podez\u0159el\u00e9 chov\u00e1n\u00ed.<\/p>\n\n\n\n<p>Nap\u0159\u00edklad i velice probl\u00e9movou IP m\u016f\u017eete pustit na web pokud projde p\u0159es Proof of Work challenge. <\/p>\n\n\n\n<p>Nicm\u00e9n\u011b pokud m\u00e1te u WEDOS Global Protection alespo\u0148 pl\u00e1n Expert, tak m\u00e1te p\u0159\u00edstup k \u0159ad\u011b n\u00e1stroj\u016f jako jsou t\u0159eba Combo rules a s t\u011bmi si velice snadno m\u016f\u017eete \u0159\u00eddit provoz pomoc\u00ed komplexn\u00edch podm\u00ednek. A\u0165 u\u017e se jedn\u00e1 o whitelites, blacklist anebo t\u0159eba nasazen\u00ed Proof of Work.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">B\u011b\u017en\u00fd internetov\u00fd \u0161um, kter\u00fd ve velk\u00e9m u\u017e b\u011b\u017en\u00fd nen\u00ed<\/h2>\n\n\n\n<p>T\u011bchto 4,3 milionu blokovan\u00fdch request\u016f nebyl \u017e\u00e1dn\u00fd v\u00fdjime\u010dn\u00fd incident, kter\u00fd by s\u00e1m o sob\u011b znamenal n\u011bjak\u00fd z\u00e1sadn\u00ed probl\u00e9m. Je to sp\u00ed\u0161 uk\u00e1zka toho, jak dnes vypad\u00e1 b\u011b\u017en\u00fd automatizovan\u00fd provoz na internetu. <\/p>\n\n\n\n<p>Vlastn\u011b to bylo celkem klidn\u00e9 pond\u011bl\u00ed. Za den evidujeme i 10x v\u011bt\u0161\u00ed provoz pokud se objev\u00ed n\u011bjak\u00e1 zranitelnost WordPress anebo velk\u00fd \u00fanik dat. <\/p>\n\n\n\n<p>Nicm\u00e9n\u011b i kdy\u017e se nic ned\u011bje, tak ka\u017ed\u00fd den, doslova ka\u017edou vte\u0159inu boti hledaj\u00ed WordPress. Hledaj\u00ed administrace. Hledaj\u00ed star\u00e9 instalace. Hledaj\u00ed zapomenut\u00e9 soubory. Hledaj\u00ed cokoliv, co by mohlo odpov\u011bd\u011bt.<\/p>\n\n\n\n<p>A ne\u0159e\u0161\u00ed, jestli na dan\u00e9 dom\u00e9n\u011b WordPress opravdu b\u011b\u017e\u00ed. Provoz prost\u011b po\u0161lou a pokud nestudujete serverov\u00e9 logy, tak o tom ani netu\u0161\u00edte. V\u00e1\u0161 web je jen pomalej\u0161\u00ed a vy netu\u0161\u00edte pro\u010d.<\/p>\n\n\n\n<p>\u00dakolem ochrany WEDOS Global Protection je, aby se takov\u00fd provoz ide\u00e1ln\u011b v\u016fbec nedostal k va\u0161emu serveru. Aby zbyte\u010dn\u011b nezat\u011b\u017eoval webhosting, VPS, dedikovan\u00fd server nebo aplikaci. A aby se legitimn\u00ed u\u017eivatel dostal tam, kam m\u00e1, zat\u00edmco automatizovan\u00fd odpad skon\u010dil co nejd\u0159\u00edve na hran\u011b s\u00edt\u011b.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>wp-login.php je jeden z nejzn\u00e1m\u011bj\u0161\u00edch soubor\u016f ve WordPress. P\u0159es n\u011bj se standardn\u011b p\u0159ihla\u0161ujete do administrace, tak\u017ee je dlouhodob\u011b obl\u00edben\u00fdm c\u00edlem brute force \u00fatok\u016f. Poj\u010fme se pod\u00edvat na data z log\u016f WEDOS Global Protection.<\/p>\n","protected":false},"author":2,"featured_media":1619257,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[112],"tags":[186,37],"class_list":["post-1619156","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bezpecnost","tag-wedos-global","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/1619156","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/comments?post=1619156"}],"version-history":[{"count":2,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/1619156\/revisions"}],"predecessor-version":[{"id":1619317,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/1619156\/revisions\/1619317"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media\/1619257"}],"wp:attachment":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media?parent=1619156"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/categories?post=1619156"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/tags?post=1619156"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}