Fall Sale! Code FALL2024 takes 25% OFF our Pro Plugins & Books »
Web Dev + WordPress + Security

5G Blacklist 2013

[ 5G (2013) ] Following up on much feedback (and this post), here is an update for the 5G Blacklist for 2013. As explained in the 2012 article (and elsewhere), the 5G Blacklist helps reduce the number of malicious URL requests that hit your website. It’s one of many ways to improve the security of your site and protect against evil exploits, bad requests, and other nefarious garbage. If your site runs on Apache and you’re familiar with .htaccess, the 5G is an effective way to secure your site against malicious HTTP requests and other suspect activity.

Update: Check out the new and improved 6G Firewall »

About the 5G Blacklist

The 5G Blacklist is a simple, flexible blacklist that checks all URI requests against a series of carefully constructed HTAccess directives. This happens quietly behind the scenes at the server level, saving resources for stuff like PHP and MySQL for all blocked requests.

How it works

Blacklists can block just about any part of a request: IP, user agent, request string, query string, referrer, and everything in between. But IP addresses change constantly, and user agents and referrers are easily spoofed. As discussed, request strings yield the best results: greater protection with fewer false positives.

The 5G works beautifully with WordPress, and should help any site conserve bandwidth and server resources while protecting against malicious activity.

5G Blacklist 2013

Here is the third version of the 5th generation blacklist:

# 5G BLACKLIST/FIREWALL (2013)
# @ https://perishablepress.com/5g-blacklist-2013/

# 5G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteCond %{QUERY_STRING} (\"|%22).*(<|>|%3) [NC,OR]
	RewriteCond %{QUERY_STRING} (javascript:).*(\;) [NC,OR]
	RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3) [NC,OR]
	RewriteCond %{QUERY_STRING} (\\|\.\./|`|=\'$|=%27$) [NC,OR]
	RewriteCond %{QUERY_STRING} (\;|\'|\"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR]
	RewriteCond %{QUERY_STRING} (base64_encode|localhost|mosconfig) [NC,OR]
	RewriteCond %{QUERY_STRING} (boot\.ini|echo.*kae|etc/passwd) [NC,OR]
	RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC]
	RewriteRule .* - [F]
</IfModule>

# 5G:[USER AGENTS]
<IfModule mod_setenvif.c>
	# SetEnvIfNoCase User-Agent ^$ keep_out
	SetEnvIfNoCase User-Agent (binlar|casper|cmsworldmap|comodo|diavol|dotbot|feedfinder|flicky|ia_archiver|kmccrew|nutch|planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspider|zmeu) keep_out
	<limit GET POST PUT>
		Order Allow,Deny
		Allow from all
		Deny from env=keep_out
	</limit>
</IfModule>

# 5G:[REQUEST STRINGS]
<IfModule mod_alias.c>
	RedirectMatch 403 (https?|ftp|php)\://
	RedirectMatch 403 /(https?|ima|ucp)/
	RedirectMatch 403 /(Permanent|Better)$
	RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$
	RedirectMatch 403 (\,|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\||\\\"\\\")
	RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
	RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php$
	RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107\_)
	RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae|config\.xml)
	RedirectMatch 403 \.well\-known/host\-meta
	RedirectMatch 403 /function\.array\-rand
	RedirectMatch 403 \)\;\$\(this\)\.html\(
	RedirectMatch 403 proc/self/environ
	RedirectMatch 403 msnbot\.htm\)\.\_
	RedirectMatch 403 /ref\.outcontrol
	RedirectMatch 403 com\_cropimage
	RedirectMatch 403 indonesia\.htm
	RedirectMatch 403 \{\$itemURL\}
	RedirectMatch 403 function\(\)
	RedirectMatch 403 labels\.rdf
	RedirectMatch 403 /playing.php
	RedirectMatch 403 muieblackcat
</IfModule>

# 5G:[REQUEST METHOD]
<ifModule mod_rewrite.c>
	RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
	RewriteRule .* - [F]
</IfModule>

# 5G:[BAD IPS]
<limit GET POST PUT>
	Order Allow,Deny
	Allow from all
	# uncomment/edit/repeat next line to block IPs
	# Deny from 123.456.789
</limit>

To use: include the entire 5G Blacklist in the root .htaccess file of your site. Remember to backup your original .htaccess file before making any changes. Test thoroughly while enjoying your favorite beverage. If you encounter any issues, please read the troubleshooting tips and/or leave a comment to report a bug.

Note: in some cases it may be necessary to place the QUERY STRING rules before WP-permalink rules.

Update (2015/04/03): removed jakarta from the user-agent portion of the list. Reason? LinkedIn actually includes the term “jakarta” in their user-agent string:

LinkedInBot/1.0 (compatible; Mozilla/5.0; Jakarta Commons-HttpClient/3.1 +http://www.linkedin.com)

</update>

Pre-changelog notes

The changes made for 5G 2013 are aimed at maximizing compatibility. Unfortunately, a number of required changes are due to improper coding and ignoring HTTP specifications. As mentioned previously, using unsafe characters in URLs obsoletes security measures that are based on pattern-matching, which is integral to the process of blocking malicious activity.

To illustrate, it is possible to protect against a wide range of malicious requests by blocking unsafe characters such as unencoded question marks “?” included within the query string. Firewalls, blacklists, security plugins and scripts are able to safely block such bad requests UNTIL some widely used service such as Google Adwords decides to start including multiple unencoded question marks in their query strings. Suddenly blocking potentially dangerous “?” requests is useless because nobody wants to block legitimate (Google) traffic.

Moral of the story: if you develop for the Web, contribute to its security by encoding your URLs according to spec. If you use security plugins, firewalls/blackists, and scripts that rely on pattern-matching to protect your site, please encourage and educate others about the importance of adhering to HTTP specifications.</rant>

Changelog

Removed from QUERY STRINGS

  • Square brackets “[” and “]” (details)
  • Colon “:” (details)
  • Unencoded question mark “\?” (WP previews, Piwik, Adwords, et al)
  • Removed “(menu|mod|path|tag)\=\.?/?” (WP menus, WP Super Cache, Joomla, Googlebot, et al)
  • Removed “environ” (common string)
  • Removed “scanner” (various WP plugins)
  • Removed “%3E” (common string)
  • Escaped backslash, from “\” to “\\

Removed from USER AGENTS

  • Commented out match for blank/empty user-agent “^$” (PayPal, WP-Piwik, et al)
  • Removed match for “libwww” (used by Lynx browser)

Removed from REQUEST STRINGS

  • Double forward slash “//” (Pingdom, gtmetrix, et al)
  • Removed match for “/cgi/” (Fancy indexes, Authentication)

Added to QUERY STRINGS (5G 2013)

  • TRACE” and “TRACK
  • base64_encode.*\(
  • \|%3E
  • GLOBALS(=|\[|\%)
  • REQUEST(=|\[|\%)
  • `
  • (\"|%22).*(<|>|%3)
  • (<|%3C).*script.*(>|%3)
  • (javascript:).*(\;)
  • (\;|\'|\"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if)

Other changes

Optimized syntax, improved formatting.

Troubleshooting

If there is an error, remove the code and make a backup of your original .htaccess file (if you haven’t already done so). Investigate the URL for whichever page is blocked or not working, making note of any non-alphanumeric characters or anything else that looks unusual. With a good idea of what to look for, examine the 5G directives to see if anything looks similar. If so, try removing (or commenting out) the offending line (or characters) and see if that resolves the issue.

If that doesn’t work, further investigation is required, and there are numerous ways of going about it. Here is a good walkthrough of my halving method of isolating problematic code, which I recommend unless you have your own favorite way of troubleshooting ;)

Show support

If you benefit from my work with the 5G and would like to show support, consider buying a copy of my book, .htaccess made easy. You’ll get a complete guide to .htaccess, exclusive forum access, and a ton of awesome techniques for configuring, optimizing, and securing your site. Your generous support allows me to continue developing 5G/6G and other awesome resources for the community. Thank you!

Disclaimer

The 5G Firewall is provided “as-is”, with the intention of helping site administrators protect their sites against bad requests and other malicious activity. The code is open and free to use and modify as long as the first two credit lines remain intact. By using this code you assume all risk & responsibility for anything that happens, whether good or bad. In short, use wisely, test thoroughly, don’t sue me.

Learn more..

To learn more about the theory and development of the 5G Firewall, check out my articles on building the 3G, 4G and 5G Blacklist. The 6G beta article also contains some good information. And if all that’s not enough, a quick search for “blacklist” in the sidebar should also yield many results.

About the Author
Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.
.htaccess made easy: Improve site performance and security.

91 responses to “5G Blacklist 2013”

  1. Thanks for this.

    Does it matter where the 5G is placed? What I mean is that I have a few other lines of code in my .htaccess – is it ok just to place it below the existing stuff?

    Also, what do you think about SEO, does/ could this have any effect on white hat bots scanning your site?

    Thanks again

    • It depends on the setup; in most cases the 5G may be placed anywhere in the file, but on some sites it’s necessary to place it before the WordPress permalink rules. A few quick tests should tell you if it’s working.

      The 5G allows legitimate behavior and does not explicitly block any “white-hat” bots; rather, 5G blocks malicious requests, regardless of what/who is making them. So if Google for some reason requests a URL that contains blocked characters, the request will be blocked by 5G.

  2. Thank you for your excellent work

    I have a problem with a facebook comments plugin, and my blog don’t show my facebook followers widget… It must be some line, but i don’t have any idea
    Can you help me?

    Thanks again Jeff!

  3. Sorry Jeff, recently I put a extension in my browser (NotScripts 0.9.6 for chrome) and it is my problem.

    Sorry again for the inconvenience, and thank you a lot!

  4. The Query Strings section doesn’t seem to like some mod_pagespeed constructions. e.g.,

    /I.lp_colorstyle_lphome.css+lp_sheets_standard1.css,Mcc.wYQNBik93w.css.pagespeed.cf.gWSCxfmC0g.css

    I’m a Rewrite n00b, can’t tell which condition is triggering it, but successively commented out bits of the 5G Query Strings IfModule until it worked (by then, the whole section was commented out). It may be readily apparent to you what’s triggering the 403 from that query.

  5. Correction: I was wrongly looking at the Query Strings rather than the Request Strings. It appears to be the comma that’s the problem.

  6. Just FYI, I was only seeing this on mobile (AT&T, iPhone, Safari). It worked again after I commented out the Query section, but I think that was only coincidence. mod_pagespeed does not always include a comma in the request.

    Not sure if mod-pagespeed delivers differently to different networks or UAs, but I do see some very quirky other behaviors on the AT&T network, seemingly to do with something they are doing with caching and proxying, particularly for image files.

  7. A client discovered for me that the 5G (2013) Firewall interferes with the “Edit Image” tool bundled with WordPress:

    1. Go to Media > Library, click on an image
    2. Click Edit Image button
    3. Click the Rotate button (for instance)
    4. An error is displayed in red: “Could not load the preview image. Please reload the page and try again.”

    Through trial and error (me not being much of a regex or ajax guy), I found that modifying two lines of the 5G above fixes this:

    1. Line 8, comment out or remove this line:

    RewriteCond %{QUERY_STRING} (\"|%22).*(<|>|%3) [NC,OR]

    2. Line 12, remove the ‘and’ from the string, so it becomes:

    RewriteCond %{QUERY_STRING} (\;|\'|\"|%22).*(union|select|insert|drop|update|md5|benchmark|or|if) [NC,OR]

    I’m sure those lines are useful, so hope 5G can be updated to allow Edit Image to work without giving up too much security :)

    Regardless, thanks again for a brilliant piece of code for protecting our WP sites!

  8. Joshua WIlson 2013/02/01 12:26 am

    Would any of the rewrite rules affect anything pulling from MaxCDN or Cloudflare

    im also using this rewrite code
    mini firewall 2012-11-13
    # 5G:[WordPress]

  9. Hey Jeff,

    Thanks for helping me with my last little problem. I’m back again. Sorry, your paginated comments make it hard (esp in the 2012 version page) to research if a question has already been asked…

    5G breaks the Contact Form 7 WP plugin (a massively popular contact form plugin). Commenting out request AND query string sets fixes it, but wondering if you’d have an offhand idea of which one specifically might be the culprit?

    Thanks again!

  10. Sorry, I forgot I can sort of do this myself… I now know that it’s not a REQUEST string… But I’m stuck on the QUERY strings.

  11. Hey Jeff,

    I have been using the 5G and love it! I periodically look through my log and perusing for that “Malicious” activity to add to my Deny From ip blocking list. I keep a 404 log and look for patterns. As well I use Notepad++ and search my server log files looking for all “wp-login.php” within the document to list only those specific log entries. My site is not a heavy login type site. Only I and a few other should be logging in. With this separate list I look for non-valid ip addresses looking for any hacking attempts vs someone randomly bringing up the login screen once or few times. What I am mainly looking for is a pattern of attempts either in volume or frequency of attempts throughout the month.

    I have learned is that some login hacking scripts first (prior to login attempts) do a /?author=1 through 10 or higher and until they get a positive. A positive being WordPress indicating an author exists or doesn’t exist and displays their posts or indicates the author has no posts. When successful, WordPress displays the login name right on the address bar with the /author/(user name). This method gives them half the equation to the login. I currently use a login blocker after 3 attempts it locks them out for a period of time.

    Do you have any suggestions regarding better securing against this? Do you think that it is a security hole in WordPress that it displays the username on the address bar? Shouldn’t WordPress instead display the nickname or something else like the display name or nickname on the address bar after doing the author number look up?

    Thanks again,

    p.s.-
    By the way, if you want to know more about the login hacker pattern and the block of specific ip addresses I am seeing from specific countries, send me an email

  12. Hey Jeff,

    This is a follow up of the post I just did a few minutes ago. I found this web page…

    http://www.question-defense.com/2012/03/20/block-wordpress-user-enumeration-secure-wordpress-against-hacking

    That is suggesting the following solution to the problem I indicated about user enumeration.
    RewriteCond %{REQUEST_URI} ^/$ RewriteCond %{QUERY_STRING} ^/?author=([0-9]*) RewriteRule ^(.*)$ http://www.wordpressexample.com/some-real-dir/ [L,R=301]

    They also indicate the following “You will want to add this near the top of the .htaccess file because of it is added below the normal redirect it is useless.”

    What do you think? Where would I add this to the htaccess with the 5G?

    Thanks,
    Keith

    p.s. – You can combine my posts and like your policy indicates edit it and cut it down from being so wordy.

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
WP Themes In Depth: Build and sell awesome WordPress themes.
Thoughts
I disabled AI in Google search results. It was making me lazy.
Went out walking today and soaked up some sunshine. It felt good.
I have an original box/packaging for 2010 iMac if anyone wants it free let me know.
Always ask AI to cite its sources. Also: “The Web” is not a valid answer.
All free plugins updated and ready for WP 6.6 dropping next week. Pro plugin updates in the works also complete :)
99% of video thumbnail/previews are pure cringe. Goofy faces = Clickbait.
RIP ICQ
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.