Welcome to the new design! Please report any bugs or issues, thanks :)
Web Dev + WordPress + Security

7G Out of Beta

The 7G Firewall was released about a year ago as beta, and has had time now to mature/develop into a stable release. So this is just a heads up that 7G is now officially out of beta and ready for use in live/production environments.

Thank you to everyone who helped with development by providing bug reports and feedback for 7G, very much appreciated.

Learn more and download 7G Firewall »
Want to help test 8G Firewall? Check out the 8G beta sandbox.

For more information about the thinking and work behind the nG-series firewalls, check out this post on building the 4G blacklist.

Jeff Starr
About the Author
Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
The Tao of WordPress: Master the art of WordPress.

17 responses to “7G Out of Beta”

  1. Hey Jeff, I added “7G Out of Beta” to my .htaccess and it doesn’t allow me to add new images in a post or directly to the wp media library.

    • Jeff Starr
      Jeff Starr 2020/01/27 7:38 pm Reply

      Glad to help. When you say that “I added ‘7G Out of Beta’ to my .htaccess”, what exactly are you adding? I ask because this post, “7G Out of Beta”, is just a notification and does not provide any code (look at the post, you will find zero codes).

  2. Friends, when logging blocked requests having a proxy in front of your server, then all IPs are of your proxy. I solved it adding the php code below, inside 7g_log.php, just after date_default_timezone_set.

    function get_ip_address() {
    	if (!empty($_SERVER['HTTP_CLIENT_IP']) && validate_ip($_SERVER['HTTP_CLIENT_IP'])) {
    		return $_SERVER['HTTP_CLIENT_IP'];
    	}
    	if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    		if (strpos($_SERVER['HTTP_X_FORWARDED_FOR'], ',') !== false) {
    			$iplist = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
    			foreach ($iplist as $ip) {
    				if (validate_ip($ip))
    					return $ip;
    			}
    		} else {
    			if (validate_ip($_SERVER['HTTP_X_FORWARDED_FOR']))
    				return $_SERVER['HTTP_X_FORWARDED_FOR'];
    		}
    	}
    	if (!empty($_SERVER['HTTP_X_FORWARDED']) && validate_ip($_SERVER['HTTP_X_FORWARDED']))
    		return $_SERVER['HTTP_X_FORWARDED'];
    	if (!empty($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']) && validate_ip($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']))
    		return $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'];
    	if (!empty($_SERVER['HTTP_FORWARDED_FOR']) && validate_ip($_SERVER['HTTP_FORWARDED_FOR']))
    		return $_SERVER['HTTP_FORWARDED_FOR'];
    	if (!empty($_SERVER['HTTP_FORWARDED']) && validate_ip($_SERVER['HTTP_FORWARDED']))
    		return $_SERVER['HTTP_FORWARDED'];
    	return $_SERVER['REMOTE_ADDR'];
    }
    function validate_ip($ip) {
    	if (strtolower($ip) === 'unknown')
    		return false;
    	$ip = ip2long($ip);
    	if ($ip !== false && $ip !== -1) {
    		$ip = sprintf('%u', $ip);
    		if ($ip >= 0 && $ip <= 50331647) return false;
    		if ($ip >= 167772160 && $ip <= 184549375) return false;
    		if ($ip >= 2130706432 && $ip <= 2147483647) return false;
    		if ($ip >= 2851995648 && $ip <= 2852061183) return false;
    		if ($ip >= 2886729728 && $ip <= 2887778303) return false;
    		if ($ip >= 3221225984 && $ip <= 3221226239) return false;
    		if ($ip >= 3232235520 && $ip <= 3232301055) return false;
    		if ($ip >= 4294967040) return false;
    	}
    	return true;
    }
    
    $_SERVER["REMOTE_ADDR"] = get_ip_address();
  3. Friends, when logging blocked requests having a proxy in front of your server, then all IPs are of your proxy. I solved it adding the php code below, inside 7g_log.php, just after date_default_timezone_set
    https://pastebin.com/Fzcm8T5i

  4. Thank you for your great work and for giving it to us for free. I will be happy to donate something via PayPal from time to time.

  5. Hello Jeff, I have been consulting your blog regularly for 2 years now and I am very grateful for your work and the sharing of knowledge with others. It’s my turn to share with you. I had graphics bugs on the mobile part. The menu icon was gone and I couldn’t change my easy slider from my enfold theme. I can easily reproduce errors or make you a screenshot if you wish, just change my .htaccess and it’s done. In the meantime I went back on the 6G version which it produces no error. It could be a mix of extensions and your 7G too. Anyway, i’m ready to share with you and thank you so much for your collaborative work! Cya :)

    • Jeff Starr
      Jeff Starr 2020/02/01 9:50 am Reply

      Hi Arnaud, thanks for the feedback. In order to resolve any bugs with 7G, I need to know the URL(s) that are getting blocked. That way I can compare the URLs with the patterns in the 7G or addon, and then make any necessary corrections. Let me know if any questions about this, glad to help :)

  6. Hi Jeff, as indicated in my email, 7G is only disfonctional with my wordpress theme and on both sides (admin and public). It’s hard to unravel who is interfering with what so i’m back to 6G for the moment. Anyway, thanks a lot for your reply and i will continue to follow the adventures of the perishable press. Bye :).

  7. I have had very good fortune using these to protect my WordPress installation.

    # PROTECT WORDPRESS FOLDERS AND CONTENTS.
    RewriteCond %{REQUEST_URI} /wp-admin/
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_URI} \.php$ [NC]
    RewriteCond %{REQUEST_URI} !/wp-admin/(load-styles|admin-ajax)\.php$
    RewriteCond %{HTTP:Cookie} !wordpress_logged_in_.+
    RewriteRule .* - [G,L]
    
    RewriteCond %{REQUEST_URI} /wp-includes/
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_URI} \.php$ [NC]
    RewriteCond %{REQUEST_URI} !/wp-includes/js/tinymce/wp-tinymce\.php$
    RewriteCond %{HTTP:Cookie} !wordpress_logged_in_.+
    RewriteRule .* - [G,L]
    
    RewriteCond %{REQUEST_URI} /wp-content/
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_URI} !\.((s?c|le)ss|js(on(p)?)?|gif|ico|jpe?g?|png|svgz?|tiff?|avi|mp(3|4|(e|g)|eg)|eot|otf|tt(f|c)|woff2?)$ [NC]
    RewriteRule .* - [G,L]

    This generally uses the stance of: “Block all access to PHP files except for these, and if the user is not logged in”.

    I came to using these directives after much trial-and-error, and doing a lot of my own research. These may not work the same for everyone else, but they can be tailored to suit. – These I found necessary, as there are constant attempts at trying to access files that should NOT be web-accessible.

    Anyway,

    I hope some folks may find these useful.

    – Jim S.

    • Jeff Starr
      Jeff Starr 2020/02/04 11:40 am Reply

      Thanks for sharing, Jim! Personally I do not recommend these particular techniques, but know that some folks have had success with them. Either way, it’s always good to hear from you :)

  8. Not really security-related, but I found this suggestion on-line a couple of years ago. I tried it, and found it to work pretty well. It helps to speed up WordPress loading a little bit, by making it more efficient in its .htaccess redirects.

    # BEGIN WordPress
    
    # Unless you have set a different RewriteBase preceding this
    # point, you may delete or comment-out the following
    # RewriteBase directive:
    RewriteBase /
    
    # if this request is for "/" or has already been rewritten to WP
    RewriteCond $1 ^(index\.php)?$ [OR]
    
    # or if request is for image, css, or js file
    RewriteCond $1 \.(gif|jpe?g?|png|css|js|ico|pdf)$ [NC,OR]
    
    # or if URL resolves to existing file
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    
    # or if URL resolves to existing directory
    RewriteCond %{REQUEST_FILENAME} -d
    
    # then skip the rewrite to WP
    RewriteRule ^(.*)$ - [S=1]
    
    # else rewrite the request to WP
    RewriteRule . /index.php [L]
    
    # END WordPress

    NOTE: AFAIK – This example only works for a SINGLE-SITE, not multi-site installation!

    – Jim S.

  9. I’ve updates your 7G firewall, to add the list written by a who defends against Ghost Spam. His list is found here. The updated firewall code merges your code and his code together, below is the update:

    # 7G:[HTTP REFERRER]
    <IfModule mod_rewrite.c>
    	
    	RewriteCond %{REQUEST_URI} !(7g_log.php) [NC]
    	
    	RewriteCond %{HTTP_REFERER} (semalt|ranksonic|timer4web|anticrawler|uptime(robot|bot|check|\-|\.com)|foxweber|:8888|xtraffic\.plus|(christopherblog|tammyblog|billyblog)\.online|traffic4free|bottraffic|easy-website\-traffic|bot4free|trafficbot|todaperfeita) [NC,OR]
    	RewriteCond %{HTTP_REFERER} (axcus|dotmass|artstart|dorothea|artpress|matpre|ameblo|freeseo|jimto|seo-tips|hazblog|overblog|squarespace|ronaldblog|c\.g456|zz\.glgoo|harriett|webedu|barbarahome|verabauer|deirdre|ninacecillia|reginanahum|deniseconnie|firstblog|maxinesamson)\.top [NC,OR]
    	RewriteCond %{HTTP_REFERER} (ambien|blue\spill|cialis|cocaine|ejaculat|erectile|erections|hoodia|huronriveracres|impotence|levitra|libido|lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby|ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo) [NC]
    
    	RewriteRule .* - [F,L]
    	
    	# RewriteRule .* /7g_log.php?log [L,NE,E=7G_HTTP_REFERRER:%1]
    	
    </IfModule>
  10. Hello Jeff!
    Thank you for your work. Working perfectly.
    I’m not sure about one thing.
    Does this method block the original Googlebot?
    Because I don’t want to block it.

  11. Thanks Jeff! Comforting. Best wishes!

Leave a reply

Name and email required. Email kept private. Basic markup allowed. Please wrap any small/single-line code snippets with <code> tags. Wrap any long/multi-line snippets with <pre><code> tags. For more info, check out the Comment Policy and Privacy Policy.

Subscribe to comments on this post

Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
WP Themes In Depth: Build and sell awesome WordPress themes.
Thoughts
Never force your users to type out a password (or any long string of characters) by blocking the paste function. Typing long strings leads to MORE errors than simple copy/paste.
Checking in to anyone listening. Stay safe. Pay attention. Don't get lazy.
What's up with Plesk UI lately? Especially on Chrome it looks just awful, all kinds of broken. Come on Plesk devs get it together.
Things get stressful, I try to pray. Not always easy, but always helps to relax and regain focus.
Nice new speed checker at fastorslow.com.
Easy way to exclude certain tests from WP Site Health: Site Health Tool Manager
Excellent (and free) tool for getting tons of site SSL infos: whynopadlock.com