Many common HTTP errors have numbers associated with them. The most common of all HTTP errors is the 404. And techy or not you have probably heard of it, or at least stumbled across one in your web travels.
Essentially the 404 triggers when a visitor attempts to visit a page on a web site that doesn’t exist. Many web masters (or content management system developers) often implement methods to handle a 404 elegantly. Some are very clever with their actions of the 404, by creating memorable “404 error” pages, making the 404 a household name.
Now, in general, the 404 is a seemingly innocent error. Mis-type a URL or follow an outdated link, and a 404 is the result. So why would you want to monitor for 404’s on your web site?
As mentioned, 404s will happen… hopefully not too often on a well maintained site, but they will happen, and in general it is perfectly OK. But when several 404s occur in a short time span from the same visitor, he or she may be up to no good.
Perhaps this “404 generator” is guessing at a URL for a login page, or perhaps they are looking for hidden content. Whatever the case, if there isn’t a public URL to the page they are “guessing” the URL of, odds are their behavior is of the malicious type.
So… why not block these folks? … even if just temporarily.
Well, there’s a feature of the All-in-One Security and Firewall plugin for WordPress that will allow you to do just that. All 404 events can be detected and logged, and if something seems suspicious, the culprit can be locked out for awhile.
Follow along in the video to setup this feature. Note: in the video, the plugin is already installed.
Comments (5 responses)
Hi Mark, Thank you for your feedback. I understand your reasoning. We can improve that feature a little more down the path as we get more feedback from users.
On second thought, perhaps a way to make the 404 penalty work better is to penalize for only the files that are known to be used by bots that try to detect certain site information. I’m not sure where to find that list of files or if it would need to be updated periodically, but one possible source might be to use a penetration testing tool and see what files it tries to detect. Just spit balling.
First – I love this plugin! We use it for all our client sites in our WordPress website business (we build websites for local small businesses.)
Second – I’ve opted, in most circumstances, to leave the 404 abuse penalty disabled. It’s a great concept. But, the truth is that 404’s can occur for purely innocent reasons and if the penalty is enabled will block people unexpectedly.
I’ve had this happen with themes that presume certain things are present when they are not, and end up making a request for files that aren’t there. That’s just one example.
I’m not sure of a solution that would allow the 404 penalty to operate properly but ignore the ones generated innocently.
Any guidance would be appreciated.
Again, a great plugin that I use everywhere.
@Gary, I have updated the tutorial with a link to the free plugin.
Thanks for the video Ruhul. where can I find the plugin necessary?