DoS prevention in NGINX

Hi, we always had this “POST /?wc-ajax=get_refreshed_fragments” abuse everyday, but sometimes it even leads to a Denial of Service (rarely, but still) I wonder how could I tweak nginx to mitigate this kind of abuse. Usually the abusers do it in bursts of 3~5 requests per second, but sometimes they go all out and send thousands per minute, often leading to DoS. I explained to the site owner about disabling the cart fragments, but he does not want to because of the floating cart functionality and UX for the shoppers, so we would need to work around it.

I might have a solution for you. Try adding Google reCAPTCHA v3.
For example, if you have plugin CF7, you can integrate recaptcha within. The recaptcha will load on every page, including woo pages. I am not sure will it work or not for you, but you can try.

If you don’t use cf7, then you can try using other implement solutions such as:


or even this: (I don’t know if this one can add v3 recaptcha)

Let me know if it helped.

Hi, thanks for taking your time to reply, we do not use contact forms, the wc-ajax=get_refreshed_fragments is called directly on every page load since it is a woocommerce feature. Adding a captcha on checkout form will lead to less orders and won’t prevent the exploit. I guess the attacker tries to inject some code into the call, but not sure since nginx do not log this kind of behaviour (as far as I know), or it is just some simple trolls bored trying to DoS random sites… I am guessing a fail2ban would be helpful and I am currenctly researching how to implement it properly without leading customer user issues. Thanks again

Fail2ban may be a bit too much. If the problem is just one file being abused directly, you should block direct access to the file from outside. :grinning:
So, in order to prevent abuse of a file, one should start by implementing the simplest solution:
in nginx configuration: add this
The code will protect all PHP files inside wp-content folder from direct access.
You can edit the code to fit your needs. I don’t know which files are loaded when cart fragments are called.
You can also search online and find the code for protecting specific url from being directly accessed.
That should be your best bet.
Maybe bbq plugin will help, and as the simplest solution you can try it first.

location ~* /wp-content/.*.php$ {
	deny all;
	access_log off;
	log_not_found off;
}

I don’t know which files should be protected here, but maybe you can find out more about this.
For example, I know that Cloudflare can protect from these kinds of attacks, or maybe other CDN.
Or maybe having the WAF installed.
Try


(works on nginx)

or maybe this:


Best of luck.
Please let me know if you work this out.