My site leifandthorn.com has had a spike in CPU usage recently, and when tech support pulled a sample log for December 9, the top 5 requested URLs were:
Where are all these demands for patreon-webhooks coming from?
The amount of traffic on my paywalled content is tiny. I have less than 100 patrons total, and the number logged-in on my Wordpress site is in the single digits. What gives?
Copy/pasted plugin info:
WP 6.4.2 with PHP 7.4.33
Patreon WordPress 1.8.8 with API v2
The “Health Check” page is generating a new version of this error (different UUID each time) every few seconds:
add_post_webhook - API v2 Class - UUID 821ab7d3-8abf-51f1-b500-25743da82903 - Response code: 401 Response :{“errors”:[{“challenge_metadata”:null,“code”:1,“code_name”:“Unauthorized”,“detail”:“The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn’t understand how to supply the credentials required.”,“id”:“821ab7d3-8abf-51f1-b500-25743da82903”,“status”:“401”,“title”:“Unauthorized”}]}
add_post_webhook - API v2 Class - UUID be545c31-929d-5f38-94fa-3d0e347dda25 - Response code: 401 Response :{“errors”:[{“challenge_metadata”:null,“code”:1,“code_name”:“Unauthorized”,“detail”:“The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn’t understand how to supply the credentials required.”,“id”:“be545c31-929d-5f38-94fa-3d0e347dda25”,“status”:“401”,“title”:“Unauthorized”}]}
It only stops while the plugin is deactivated.
I tried disconnecting (it didn’t work), deleting the client application on the Patreon.com side, and uninstalling/reinstalling the plugin.
Even after all that, once I reactivate the plugin, the errors start right back up again.
Now I’m not using wordpress but, if I was a pirate trying to gain access to patreon benefits and publish or sell this content on the internet, I would definitely create some bots to send hundreds of fake requests to patreon webhook endpoints that can be detected in the wild. Hoping some won’t be doing signature validations and register my patreon member accounts as premium users.
I don’t know how technical you are, but can you see the IP addresses of the request origins?
For the original add_post_webhook errors, it didn’t look like those were coming from an external IP – in the logs from December 9, the top user agent was just “WordPress/6.4.2; https://leifandthorn.com” (10762 hits).
So it sure looks like it was WP in an infinite loop of sending bad requests to itself.
The only IP address that accessed the site more than 10K times on December 9 was 34.174.37.58 (Google) (14037 hits). Which seems excessive (what was it doing, re-crawling the entire site that day?), but not malicious, unless I’m missing something.
The shorter errors I posted about on the 11th don’t match with entries in the site access logs at all – so, no idea who/what/where those are from.