Brute force directory guessing attacks are very common attacks used against websites and web servers. They are used to find hidden and often forgotten directories on a site to try to compromise.
Directory Guessing Targets
Attackers generally focus on directories (folders) that are likely to contain outdated or insecure software. These are the top directories we see being scanned:
- /phpmyadmin (or /phpmyadmin-versionnumber)
- /demo/
- /test/
- /joomla/
- /wordpress/
Directory Guessing Protection
A directory guessing attack is often very noisy and generates thousands of 404 (not found) errors in the logs. If you monitor and watch your logs, you should be able to identify them pretty easily and block the attacker’s IP Address.
Anyone using the WAF is already automatically protected. We ban
IP addresses that generate too many 404 (not found) errors within a short period of time.