5G Blacklist 2012
Posted on January 11, 2012 in HTAccess, Security by Jeff Starr
![[ 5G ]](http://perishablepress.com/perish/images/2012/5G-Blacklist.gif)
The 5G Blacklist helps reduce the number of malicious URL requests that hit your website. It’s one of many ways to improve the security of your site and protect against evil exploits, bad requests, and other nefarious garbage.
After extensive beta testing, the 5G Blacklist/Firewall is solid and ready to help secure sites hosted on Apache servers. In addition to beta testing for the 5G, this is the 5th major update of my “G”-series blacklists. Here is a quick overview of its evolution:
- Ultimate htaccess Blacklist (Compressed Version)
- 2G Blacklist: Closing the Door on Malicious Attacks
- Perishable Press 3G Blacklist
- The Perishable Press 4G Blacklist
- 5G Firewall (Beta)
Along the way, I’ve explored a wide variety of different blacklist techniques. The 5G is the culmination of all these efforts, and will eventually be replaced by the imminent 6G Blacklist/Firewall.
What it does
The 5G Blacklist is a simple, flexible blacklist that checks all URI requests against a series of carefully constructed HTAccess directives. This happens quietly behind the scenes at the server level, saving resources for stuff like PHP and MySQL for all blocked requests.
How it works
Blacklists can block just about any part of a request: IP, user agent, request string, query string, referrer, and everything in between. But IP addresses change constantly, and user agents and referrers are easily spoofed. As discussed, request strings yield the best results: greater protection with fewer false positives.
The 5G works beautifully with WordPress, and should help any site conserve bandwidth and server resources while protecting against malicious activity.
How to use
To install the 5G Firewall, append the following code to your site’s root .htaccess:
# 5G BLACKLIST/FIREWALL
# @ http://perishablepress.com/5g-blacklist/
# 5G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (environ|localhost|mosconfig|scanner) [NC,OR]
RewriteCond %{QUERY_STRING} (menu|mod|path|tag)\=\.?/? [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} echo.*kae [NC,OR]
RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
RewriteCond %{QUERY_STRING} \=\\%27$ [NC,OR]
RewriteCond %{QUERY_STRING} \=\\\'$ [NC,OR]
RewriteCond %{QUERY_STRING} \.\./ [NC,OR]
RewriteCond %{QUERY_STRING} \? [NC,OR]
RewriteCond %{QUERY_STRING} \: [NC,OR]
RewriteCond %{QUERY_STRING} \[ [NC,OR]
RewriteCond %{QUERY_STRING} \] [NC]
RewriteRule .* - [F]
</IfModule>
# 5G:[USER AGENTS]
<IfModule mod_setenvif.c>
SetEnvIfNoCase User-Agent ^$ keep_out
SetEnvIfNoCase User-Agent (casper|cmsworldmap|diavol|dotbot) keep_out
SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
SetEnvIfNoCase User-Agent (libwww|planetwork|pycurl|skygrid) keep_out
SetEnvIfNoCase User-Agent (purebot|comodo|feedfinder|turnit) keep_out
SetEnvIfNoCase User-Agent (zmeu|nutch|vikspider|binlar|sucker) keep_out
<Limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from env=keep_out
</Limit>
</IfModule>
# 5G:[REQUEST STRINGS]
<IfModule mod_alias.c>
RedirectMatch 403 (https?|ftp|php)\://
RedirectMatch 403 /(cgi|https?|ima|ucp)/
RedirectMatch 403 /(Permanent|Better)$
RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$
RedirectMatch 403 (\,|//|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\||\\\"\\\")
RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php$
RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107\_)
RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae|config\.xml)
RedirectMatch 403 \.well\-known/host\-meta
RedirectMatch 403 /function\.array\-rand
RedirectMatch 403 \)\;\$\(this\)\.html\(
RedirectMatch 403 proc/self/environ
RedirectMatch 403 msnbot\.htm\)\.\_
RedirectMatch 403 /ref\.outcontrol
RedirectMatch 403 com\_cropimage
RedirectMatch 403 indonesia\.htm
RedirectMatch 403 \{\$itemURL\}
RedirectMatch 403 function\(\)
RedirectMatch 403 labels\.rdf
RedirectMatch 403 /playing.php
RedirectMatch 403 muieblackcat
</IfModule>
# 5G:[BAD IPS]
<Limit GET POST PUT>
Order Allow,Deny
Allow from all
# uncomment/edit/repeat next line to block IPs
# Deny from 123.456.789
</Limit>That’s the golden ticket right there. The 5G Firewall is serious protection for your website: extensively tested, plug-n-play, and completely free. “Grab, gulp, n go” as they say. For more information, see the beta article (and comments).
Troubleshooting
Remember, test thoroughly. If something stops working when the 5G is installed, try removing the 5G. If things start working normally again, you can either pass on the 5G or investigate further. Investigating further is straightforward using something like the halving method, where you remove chunks of the 5G until isolating and identifying the issue. Here is a quick example:
- I’ve installed the 5G, thanks Jeff.
- Uh-oh, the page at
http://example.com/indonesia.htmlstopped loading - Hmm, the URL contains the phrase “indonesia”, so let’s check the 5G for it
- Yep, there’s a rule that blocks
indonesia\.htm - Removing that line resolves the issue, thanks me.
Is it okay to remove rules that are blocking your own pages? Yes, the only downside is that malicious requests that would have otherwise been blocked will now get through. The 5G will continue to block a massive volume of malicious requests — it’ll just be a bit less effective. The protective effect is cumulative, not dependent on any one rule. So customization is encouraged. Once you dial it in, you’re all set.
Disclaimer
The 5G Firewall is provided “as-is”, with the intention of helping site administrators protect their sites against bad requests and other malicious activity. The code is open and free to use and modify as long as the first two credit lines remain intact. By using this code you assume all risk & responsibility for anything that happens, whether good or bad. In short, use wisely, test thoroughly, don’t sue me.
Learn more..
To learn more about the theory and development of the 5G Firewall, check out my articles on building the 3G, 4G and 5G Blacklist. A search for “blacklist” in the sidebar should also yield many results.
Happy securing!
Great stuff!
i’ve been using last year’s edition, without problems. This is probably a must for all webmasters!
thanks!
Love it, Jeff. Thanks so much for keeping up on this AND for making it available. So valuable, man. Thanks again.
I’m thinking I’m using your last years version or maybe the version before? However I still get emails with “5 failed login attempts to account servername” every other day or so. Am I correct thinking this goes in the public_html directory? Or up a level?
The
public_htmldirectory should do the trick, but if you’re getting errors, they can be tracked down in your server’s error log. Could be the 5G interfering, or it could be something else. Always good to investigate further.I’ve been using the 4G version (and added to it), so will implement this asap. Thanx for being so altruistic and sharing it.
Cheers
I
Hi Jeff – the only issue I’m seeing is with timthumb files. Is there something I can comment out, or am I doing something wrong?
http://dev.mostlyjunkfood.com/wp-content/themes/mostlyjunkfood-v.2/th.php?src=http://dev.mostlyjunkfood.com/treats/2012/01/beyonce_hov.jpeg&w=640&h=365Looks like a possible match with this line in the query-string section:
RewriteCond %{QUERY_STRING} \: [NC,OR]try commenting that line out with a pound sign (
#) and see what happens..Thanks Jeff, very cool. Is there any way of applying this at a server level or does it have to be on a site by site basis? Thanks.
It would involve some reformatting of the code, but yes you could add this to Apache’s configuration file and apply to any/all sites on the server.
I’d realy love to see how you would do this. I’m about to move my clients onto a VPS and would be nice to get this running on a server level rather than a site by site basis. Any chance on a how to article bout this Jeff? I’d be forever in your debt.
Is this something you might consider doing?
I’ve run into a few problems, and was able to fix them since last version. Here they are:
# RewriteRule .* - [F] # having issue with timthumb if this line is turned on# RedirectMatch 403 (\,|//|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\||\\\"\\\") # "//": Montastic, 100pulse# RedirectMatch 403 (base64|crossdomain|localhost|wwwroot) # crossdomain: coolirisCheers,
Hi Jeff,
thanks for releasing this! I’ve been using the 5G since the beta and found it very handy, along with your blackhole.
There is one thing that causes some problems in WordPress with nab menus: the second RewriteCond line contains ‘menu’, which for me on all of my installs (local and remote) causes a 403 t be thrown. Removing ‘menu’ fixes this.
thanks again,
Frances
Happy New Year to you and yours, Jeff. Greets from the UK, innit?
You know, I’ve been following your nG Block Lists for a while and I’ve gotten infected with the total OCD-ness of them. It’s like RAGE on steroids; I share your pain.
Your 5G is cool, but consider this: the current Apache regex engine is pretty sophisticated (it’s Perl 5). You can optimize it with payback. Couple of tips:
Concatenate patterns as much as you can. Up to a pattern length of 300-500 characters, there’s a significant performance boost compared to iterating multiple, shorter patterns.
Above that, the overhead of long-pattern syntax-checking starts to kick in. Law of diminishing returns, I guess.
Wherever possible, your regex patterns should look to start on some boundary, even if it’s just a word boundary (\b). Try to avoid creating unnecessary back-references, which slow the engine.
If you want to use
mod_setenvifon the user agent, then theBrowserMatchNoCasesubset is a better alternative toSetEnvIfNoCase User-Agent.Using a
<Limit GET POST PUT>container is not actually required, and may not always get you the result you want.mod_accessis part of core; theDenydirective can just be dropped in.If you’re denying or redirecting and you have a custom 403 or 410 page, you MUST prefix a mod-rewrite section with an ‘escape clause’ to let them through to that ‘error page’.
FYI, inspired by your previous work, I too have been working on a firewall generator, based on analysis of my own access logs since Spring 2011.
You can view the current state of progress. Mind-boggling I know, but I’ll be interested to hear what others think.
Posting the generator script at ZB soon.
Maybe we could knock heads on this? I have many other juicy bits to share.
I post here to get as much attention as possible:
Deny from 78.160.15.253Deny from 78.160.52.13You are safe to block these 2 IP addresses, as they were used by some Turkish hackers on my site. My site was hacked 3 times in the last 1 month, it is very frustrating.
This is also a good post regarding WordPress security:
http://wp.tutsplus.com/tutorials/security/20-steps-to-a-flexible-and-secure-wordpress-installation/
That’s Turk Telekom. Its network is riddled with compromised domestic workstations on DSL. Botnet boxes, in other words.
It’s hard to find an IP in the 78.60.0.0 range that isn’t known to be connected to hacking and/or spamming.
Search on ‘AS report AS9121′, get an idea of the scale of their network.
You could
Deny from 78.160.0.0/11, but they’ll still get at you from another range. It’s not a trivial task.True, banning IP’s is not the most reliable way of protection. I do not know if it is the same group, but the last time (today) I could see some actions from an US IP and one from Italy, too.
Somehow they got access to wp-admin and could edit from there theme and plugin php files.
Awesome! good work on the 5G Blacklist, I can confirm the Menu issue reported by frances removing the word menu from line two of the QUERY STRINGS section does indeed fix the problem. Also you may want to let Joomla users know that the word “path” in the same line will cause a 403 error if you attempt to access the Options menu from within the Article Manager. Removing the word path fixes this issue. Thanks again keep up the good work!
Wow! Kiwis pick stuff up real quick!
Is this only for wordpress sites? Does this work on SMF forums? SMF version 2.0.2. I have a forum i want to install it on.
You saved my day! Thanks for sharing.
Absolutely fab! Using this across a few of my sites and works well.
One issue I have found is that it blocks Google+ from sharing a page on the site. I get an error and Google+ doesn’t give me the preview. When I removed the 5G Firewall it worked, so something is blocking it.
I was wondering if anyone knew what could be causing the conflict when using the 5G Firewall with Google+ sharing as I mentioned above? I’ve had to remove it from my sites until I work out what the issue could be. I haven’t tried it with other social media sites such as Facebook or Twitter, but I can confirm that there is an issue with Google+. I’d love to solve the issue!
I’m just guessing, but you might try commenting-out the
httpsblocking sections from 5G.GoogleSharing ‘uses’ https.
Thanks 1’000 times Jeff.
It worked out of the box for WordPress.
I noticed today that some tit is trying the following exploits by url:
//phpMyAdmin-2.5.7-pl1/index.php 41.203.119.18//phpMyAdmin-2.5.7/index.php 41.203.119.18//phpMyAdmin-2.5.6/index.php 41.203.119.18...[Editor's note: log excerpt edited to conserve resources]
Apart now from adding those two ip addresses, how else can I send them to hell please?
Thanks. I’m trying it after having some problems with bad-bots.
Ok, I’m learning …
I added
RedirectMatch 403 myphpRedirectMatch 403 phpmyRedirectMatch 403 websqlRedirectMatch 403 dbadminRedirectMatch 403 php-my-adminRedirectMatch 403 xamppRedirectMatch 403 mysqlRedirectMatch 403 typo3RedirectMatch 403 phpmyadminand it works. Should these lines be separate, or can you combine it ?
Good thing I found you, I have these exploits on 15 domains …
What is better: to show a 403 page that says nothing, or to let the Parallels Hsphere 403 error page come?
Looks like a good start, here’s what I came up with:
RedirectMatch 403 (phpMyAdmin|php\-my\-admin)RedirectMatch 403 (websql|mysqladmin|pma|mysql|myadmin|dbadmin|db|cdr)Needs testing and could be further refined based on existing site URIs.
Using the default server error page is my advice, but I’ve seen a cool technique where blocks are kicked directly back to
localhost.Thanks for a great hack man. But i need to know this before i use the 5G blacklist. Does it work on forums(SMF 2.0.2)? Or is it only configured for wordpress sites? Thanks!
It should be general enough to work on any site, but keep an eye on things and begin your search with 5G if/when any pages stop loading.
Thanks Jeff,
You seriously kick ass!
Just installed it. Thanks!
Jeff, I was wondering, isn’t there the makings of a nice product/service in here if you combine the 5G blacklist with your Error logging script and then add the functionality of doing reverse ip lookups and sending emails to the Abuse address listed in the ARIN and other databases, once a certain level of repeated 301 errors are produced?
Offer the basics free and then make the more advanced features paid for.
And if there was a plugin for WordPress you’d be able to service a lot of troubled people.
In fact, you could have a “share” feature in the script that aggregates the 301 exploits sort of in real time and thus have the possibility to push an updated .htaccess or whatever down the line for people to install for better protection.
Once the presets trigger, all people on the subscription would be informed of a new issue or ip to block. As the attack moves to a different address, the ip can be released again, with multiple offenders getting a more permanent level of blocking. Something in the order of defining several levels of blocking.
If you also have selectors that the user can click on, people that want to, could also decide to include country level ip blocks if they wanted to.
Wish I had the skills to do this … :-)
It’s a great idea Mark, and I’ve thought about doing something similar for quite awhile now, with the only thing really stopping me really is the time factor, just not enough these days.
For the record though, there are existing services that function similarly to what you describe, but much more is certainly possible ;)
Such a great script you provide Jeff. Thank you so much, I have been checking back every few weeks for the past few months waiting on the final release.
I will be checking this out this weekend on my server. I do have a question about mentions regarding server wide usage. If I have 1 install of wordpress Multisite in the root of public_html, will this work ok with it?
# Anti XSS protectionOptions +FollowSymLinksRewriteEngine OnRewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})RewriteRule ^(.*)$ index_error.php [F,L]RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)RewriteRule .* - [F]# Anti cross site tracing - protectionRewriteEngine OnRewriteCond %{REQUEST_METHOD} ^TRACERewriteRule .* - [F]http://www.hackosis.com/simple-htaccess-intrusion-detection-system/
I strongly suggest u integrate this idea into your 5G blacklists.
Hey Jeriff,
Looks like some good stuff in there, so definitely will investigate further for possible inclusion with the imminent 6G. Note that I cover many of these rules in this article. Either way, thanks for sharing.
thanks so much for sharing the awesomeness!!! I’m updating all the htaccess files now :D
Grazie mille!
Many thanks in italian (or 1000 thanks?)
@Jeff
what about jeffM comment : “..you might try commenting-out the https blocking sections from 5G…”?
Thanks
Any of the 5G patterns/expressions may be removed if needed or called for.. the
httpsis implied and not considered as part of the request string, so it’s purpose is to stop further instances of the string from being included in the URI.Everything seamed to work ok on a WordPress Multisite Install. I only had to comment out this line:
#SetEnvIfNoCase User-Agent ^$ keep_outAs it interfered with a slider image script on 1 page only. It was Not a timthumb script, just FYI.
Please let me know what that line does, I assume it is if the User-Agent is blank?
Yep, that’s exactly what that does – blocks blank user-agents.
I’ve not seen “/” as a UA, only as the referrer field: in Nov/2011 from a
fastwebserver.debox hosting two sites, one of which was runningZookabot. An earlier visit (May/2011) from another Zookabot script on the same network showed the referrer empty, “-”. So I wonder ‘why the slash?’For the UA, I just think
^-?$is so cheap and sweet, and lets one make interesting noises at parties ;)Not all empty user agents are truly empty. At least one bot has sent a single hyphen as its UA to dodge that regex. Only detectable in real time, it’s cloaked in the logs.
Cover that with:
^-?$.FWIW, I’ve also seen ‘/’ sent as a referrer string.
Thanks for teh codez jeffM!
I’ve seen those request strings, crazy stuffz indeed.. say, what’s up with the “only detectable in real time” bit? That sounds interesting, as far as the cloaking and whatnot..
If I send you ‘-’ as my UA, I defeat your
^$. You’ll only know I sent ‘-’ if you read it off the wire (real time).In your logs you’ll see “-”, which is exactly what I sent, you think my UA was empty. It wasn’t. It was ‘-’ (but your access log syntax cloaked it).
Ah, I see what you mean.. I think this only applies to Apache’s built-in logs, correct? For custom logging I think you’ll pick up the true UA (ie, the dash), but it’s been awhile since I’ve seen anything similar roll thru.. thoughts?
Not sure what ‘custom logging’ you have in mind, Jeff. I suspect most hosted Apache setups use Combined Logfile Format, which does show referrer and UA.
What’s sublime about the hyphen trick is that (in a regular CLF log) the faked UA is hidden in plain sight. You might never figure why
^$didn’t work.My instincts tell me it may be more common than we realize.
Custom as in via PHP variables recorded in a log file.. I’m pretty sure the dash-only UAs are recorded, and if so I can say that I’ve not seen enough dash or slash UAs to be concerned about. If the custom methods are somehow also misrepresenting, then yes, it could be way more common than people think.
Thanks for making this available. For some reason the section:
# 5G:[USER AGENTS]Was blocking Google Analytics. Am I just being stupid here, why would this be? Is it also blocking general Google indexing? To get it to do tracking I have had to comment out all the way to
# 5G:[REQUEST STRINGS]Any help or advice would be appreciated!
Jeff, thanks a million for this.
Aside from having an amazing “easiness:effectiveness” ratio, it also provided a situation where I had to learn a little more PHP. (And that’s a good thing!)
I have a number of scripts I’ve written running on various trusted hosts that call certain other scripts residing on my webserver and process the results. They all broke the instant I added 5G.
A little troubleshooting revealed that the culprit was “
SetEnvIfNoCase User-Agent ^$ keep_out”.Who knew that fopen and CURL don’t have a user agent by default?
I could have just removed the rule, but I knew that was the cheap and dumb way out. So, thanks to you and a little research, I now know about using
stream_context_create()with my fopen commands andCURLOPT_USERAGENTwith my CURL commands. Everything is back in working order and all my future scripts will be better netizens.Thanks!
Jeff,
Thanks, we are running your 5G blacklist, along with some of the additions from the comments herein, on a new path based multisite install. If we run into any issues we will holler, but so far this seems great.
Funnily enough, last night we had an attempted hack via the turkish telecom ip range – previously it was used by Iranian Muslim hackers targeting christian school sites – defacing them and bringing them down. This is when we got called in, and it will be interesting to see if the security measures we have implemented, including 5G and some of the other commenter suggestions, help put a stop to some of this crap.
If we can buy you a beer, let us know!
Is there anyway to add logging to the 5G script so that anyone blocked is logged in a custom log file? I would love to be able to monitor the results to ensure I am not blocking legit traffic and also see it blocking bad traffic.
Yes you could create a custom script using PHP or just about anything, grab some variables from each request, and print it to a log file on the server. but there’s no need to replicate what’s already available to you in your server log(s). it’s trivial to scan for error codes or even use a search/find to highlight all of the errors. they contain much more information as well.
Thank you Jeff, I’ve tried googleing for information on a script to add logging, but I find every article but what I need. Do you or any readers have a link or two about how to add this logging to the htaccess file?
This is a good article.
I’m developing Apache Log reporter(for myself),and i’m sure that your information help me to improve detect&block web attacks.
Keep up a good work :)
(btw, I’m using IP Filter(ex: IPBlock,PeerBlock) to kick out from web server.)
One very important problem: I discovered this morning that PayPal IPN is blocked because PayPal doesn’t provide a user agent even though people have been screaming at them for ten years to do so. Add in the fact that they change IP addresses from time to time, and there’s no way to block blank user agents without also breaking your ability to receive notifications from PayPal IPN. Ouch.
Does the PayPal IPN API provide a referrer?
You might be able to create an exception based on that.
Yeh that’s lame of PayPal if true.. I would just comment out or remove the rule that blocks blank user-agents, at least until PayPal resolves the issue (i.e., never).
You may need to use a rule that states is not “!” the PayPal IPN. I’m not sure which one it is, but here are the links.
https://ppmts.custhelp.com/app/answers/detail/a_id/92https://ppmts.custhelp.com/app/answers/detail/a_id/883/related/1/session/L2F2LzEvdGltZS8xMzE2NjUzODEyL3NpZC9LSDYtYkhFaw%3D%3Dhttps://ppmts.custhelp.com/app/answers/detail/a_id/250/related/1/session/L2F2LzEvdGltZS8xMzE2NjUzODEyL3NpZC9LSDYtYkhFaw%3D%3DBut you could actually whitelist PayPal from the 5G rules using a
RewriteCond %{REMOTE_ADDR} !^xxx.xxx.xxx.xxx$Where xx
x.xxx.xxx.xxxis the PayPal IPN.Unfortunately, PayPal changes IP’s from time to time. To make matters worse, a big chunk of them are now handled dynamically by Akamai. Even ignoring the complications introduced by Akamai, whitelisting the IPs becomes an on-going chore, and you lose sales any time you fall behind.
It’s not so much a task if you whitelist by say, Class B, leaving off the ending anchor.
The Akamai information is covered within those links as well, so using that information it would be quite easy and straightforward to whitelist based on Class B or even Class C, depending on how specific you wanted it.
PP recommend DNS lookups, but your hoster may not permit that. Is there not something in IPN’s
REQUEST_URIorQUERY_STRINGthat you could check?Jeff
Can I suggest that the
mod_setenvifwrapper is maybe not the right place for the empty user agent filter? It’s brutally (potentially fatally) unforgiving since it ignores context. IMHO, themod_rewritewrapper (processed later) is the place to express an intelligent decision about the UA.My 2 cents.
I have also noticed this blacklist blocks the script from websitedefender.com anyone know a way to fix this?
Paul,
Websitedefender is running on my site without trouble and I have 5G (plus additions) running.
Hi,
I was wondering if someone might be of help. I’d like to keep as much of this code as I can. I am using wordpress 3.3.1 (not wordpress.org) I am trying to use the nrelate plugin and they need to be able to pull my post images. Is there a way to change the blacklist so that only they can get through..in essence whitelisting them?
I’d appreciate any help at all.
Thanks!
Hi Jeff- I was playing with BuddyPress and I found that after adding this to my HTACCESS it stopped allowing me to accept users to groups in the requests panel of a group admin. I removed the code and it worked again fine. No idea why, but thought I should let you know just in case.
Hello, has anyone been able to get this script to work with Paypal, I also received an email from PayPal “ Please check your server that handles PayPal Instant Payment Notifications
(IPN). IPNs sent to the following URL(s) are failing:”
Please let me know what I need to add to the script to get it to work with Paypal. Thank you.
I think it blocks the addresses containing parameters with dash (-). I cannot get to edit this plugin’s settings and cannot event deactivate it as the link looks like this:
http://domain.tld/wp-admin/plugins.php?action=deactivate&plugin=timthumb-vulnerability-scanner%2Ftimthumb-vulnerability-scanner.php&plugin_status=all&paged=1&s&_wpnonce=05cea08e75I get wordpress “Page not found” message.
I clicked the admin and other links can run ok:
http://domain.tld/wp-admin/plugin-editor.php?file=subscribe-to-comments/subscribe-to-comments.phpI changed the path to plugin files and a long parameter (both containing multiple dashes) and now it works. That seems to be the problem.
Hi,
I have been trying out the 5G and have noticed the following semi-frequent error messages in my error log (on HostMonster)
[Wed Feb 08 16:23:44 2012] [warn] RewriteCond: NoCase option for non-regex pattern '-f' is not supported and will be ignored.[Wed Feb 08 16:24:16 2012] [error] [client 127.0.0.1] (104)Connection reset by peer: ap_content_length_filter: apr_bucket_read() failedUse of uninitialized value in concatenation (.) or string at /usr/local/cpanel/cgi-sys/fourohfour.cgi line 31.[Wed Feb 08 16:24:16 2012] [error] [client 127.0.0.1] (104)Connection reset by peer: ap_content_length_filter: apr_bucket_read() failedUse of uninitialized value in concatenation (.) or string at /usr/local/cpanel/cgi-sys/fourohfour.cgi line 31.Are these errors something I should be commenting out in 5G?
Are they anything that should be added to 5G?
This inquiring mind wants to know! ;-)
In general, I am seeing *way* fewer “errors” from bozos and bots trying to sniff around my site.
Great Work!
Thank you!
Ken
Hey,I got here from watching your security for wordpress video on lynda.com. I have not uploaded my website yet, I’m just about to, I am using bluehost. I put this code in my .htaccess, but certain things don’t work.I figured out it was this line
RewriteCond %{QUERY_STRING} (environ|localhost|mosconfig|scanner) [NC,OR]. I guess because I’m using localhost to access my site right now? After I upload it should I stick this piece of code back in?Also there seems to be so much security I need, In the lynda course wordpress basics they show you how to make a self hosted site and upload it, but they don’t talk much about security, I only found out about it after making my site so I couldn’t do things like change the
wp_rows. If I just did what they showed me in that course and didn’t add security features that I learned in your course, would my wordpress site even be safe on bluehost?Sorry for so many questions, thanks again!
Thanks!