Receiving strange lockout alerts from defender

I'm receiving Defender warning, it is blocking this URL Request for file /%5C%5C%5C%5C%5C which doesn't exist, but the IP is our Server IP, any idea what is this URL?

  • Adam Czajczyk

    Hi AJ Pinto

    I hope you're fine today!

    I have checked the site and I think this is related to the Swift Performance plugin. I'm not much familiar with it but after checking its configuration and some of its docs, I understand that it pre-builds cache automatically when a cache is cleared (so e.g. when a post/page is published/updated) and additionally on a schedule.

    When the cache is being pre-build, a "Warmup table" is used which contains a set of URLs (they are added there automatically) and the URL in question - in a few variations, longer an shorter - is there which means that each time it's being called. So, when you update or publish a post/page and when scheduled "pre-build" is processed, this URL - all its occurences in Warmup table - are being called from your server, because Swift Performance is trying to cache their contents.

    That would explain why there's your IP in logs and why there's so many calls to that URL.

    That said, the first thing I'd suggest to do would be to just reset warmup table in Swift Performance settings and then watch it for a while - both the warmup table content and Defender logs - to see if that URL returns there or not.

    If it doesn't, I'd say it can safely be ignored. There's always a chance that due to some unexpected "glitch/error" there was an attempt to access some invalid URL and that got cached by the plugin.

    However, if it gets back, it would most likely mean one of two things: some "broken URL" indeed exists somewhere on site (it might be deeply hidden, e.g. some malformed href in page source, in JS, in theme or plugins' files...) or there's something malicious on a site/server trying to perform "URL traversal" attack.

    So, I'd start with clearing up that warmup table and entire cache and keeping an eye on that. If this doesn't help, let me know, please. In such case we might need to be able to look through the files and the database of your WP install, though.

    Kind regards,
    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.