Brute-Force Login Drip Attack
I’ve been noticing a new strategy for brute-force login attacks: the slow, incremental “drip” attack. Instead of slamming a login page with hundreds or thousands of brute-force login attempts all within a few minutes, some attackers have been taking a more low-key approach by slowing down the rate of login attempts in order to bypass security measures. The “drip” brute-force attack is extremely annoying, and possibly dangerous if any of your registered users are using weak login credentials. This article […] Continue reading »
Stop RSSing.com from Framing Your Content
This quick post explains how to stop the notorious site scrapers, RSSing.com, from stealing your content. In fact, this technique can be used to stop virtually any site that uses HTML frames to scrape your pages. Once again, the solution is one line of .htaccess to the rescue. Continue reading »
Use Strong Usernames for Better Security
Image courtesy of eChunks.com Here is a quick security tip for people using popular apps on the Web. That is, apps like WordPress that may be widely used and targeted by bad actors and/or automated scripts. It’s all about adding another layer of security by hardening admin-level usernames.. Every now and then, I get an email letting me know that someone has requested a password reset for one of my admin-level WordPress accounts. Usually, the email notifications are sent directly […] Continue reading »
How to Block Baidu Bot
A user of my 6G Firewall recently asked how to block the “baidu” bot from accessing their site. This post explains why Baidu is not blocked in 6G and provides a quick .htaccess technique to deny it (or anything claiming to be it) access to your site. Continue reading »
What Chrome Predictive URLs Look Like on the Server
Awhile ago, I was confused by repetitive 404 “Not Found” errors in my server logs. The 404 requests look like someone is typing out various words, a few letters at a time. This post shows what these weird 404s look like from the server’s perspective, and then goes on to explain why they happen and why there is no practical way of preventing them. Continue reading »
WordPress Performance Issue?
Just wanted to share a mysterious trend reported for my sites by Google Webmaster Tools, and ask if anyone else is seeing the same pattern. It looks like it’s related to the WordPress 4.4 update, but I’m not 100% sure, so putting the data out there in hopes that others can help shed some light on the issue.. Continue reading »
Example of a Spoofed Search Engine Bot
While solving the recent search engine spoofing mystery, I came across two excellent examples of spoofed search engine bots. This article uses the examples to explain how to identify any questionable bots hitting your site. Continue reading »
Coda 2 Lessons Learned
I recently switched over to Panic’s Coda 2 for code editing and SFTP functionality. After using my previous editor/FTP software for over 10 years, I was surprised that learning Coda 2 happened so easily. It literally took me like two days of using it before I was back up to full development speed. In the process of learning, I discovered numerous questions and concerns that weren’t covered in the Coda 2 documentation or anywhere online. This post rounds up these […] Continue reading »
Analyzing Weird 404 Search Engine Requests
Lately I’ve been getting a significant number of really weird 404 requests for one of my sites. At first I ignored them. Then upon closer inspection, I realized that the requests were reporting user agents like Googlebot, Bingbot, and other top search engines. So there was cause for concern. You don’t want legitimate search engines tripping over endless 404 requests that are completely unrelated to your site content. That gets into “negative SEO” territory, and should be investigated and resolved […] Continue reading »
Block D-Bag Database Exploits
Some douchebag has been scanning my sites for a variety of potential database exploits. My sites are secure, so there is no real security threat, but the scans are extremely annoying and waste my server resources. Resources like bandwidth and memory that I would rather use for legitimate visitors. So after collecting some data and experimenting a bit, I wrote a simple .htaccess snippet to block a vast majority of these pathetic database-exploit scans. Continue reading »
WordPress Plugin: Blackhole for Bad Bots
Image Courtesy NASA/JPL-Caltech. Update: Pro version now available! Check out Blackhole Pro » Finally translated my Blackhole Spider Trap into a FREE WordPress plugin. It’s fun, fast, flexible, and works silently behind the scenes to protect your WordPress-powered site from malicious bots. Here are some of the features: Continue reading »
List of All User Agents for Top Search Engines
Here is a working list of all user agents for the major, top search engines. I use this information frequently for my plugins such as Blackhole for Bad Bots and BBQ Pro, so I figured it would be useful to post the information online for the benefit of others. Having the user agents for these popular bots all in one place helps to streamline my development process. Each search engine includes references and a regex pattern to match all known […] Continue reading »
6G Firewall
After three years of development, testing, and feedback, I’m pleased to announce the official launch version of the 6G Firewall (aka the 6G Blacklist). This version of the nG Firewall is greatly refined, heavily tested, and better than ever. Fine-tuned to minimize false positives, the 6G Firewall protects your site against a wide variety of malicious URI requests, bad bots, spam referrers, and other attacks. Blocking bad traffic improves site security, reduces server load, and conserves precious resources. The 6G […] Continue reading »
Protect Against WordPress Brute Force Amplification Attack
It seems the WordPress xmlrpc.php file is the target of another type of attack. Before, it was the XML-RPC Pingback Vulnerability. Now, it is the Brute Force Amplification Attack. This post explains what you need to know and then cuts to the chase with several ways to protect your site against this new malicious exploit, as well as all other related threats. Continue reading »
What to do when your site gets hacked
Over the years, my sites have been hacked numerous times. Each hacking event was somewhat of a miserable experience at first, but ultimately educational and even enlightening. I’m not going to say that getting hacked was the best thing that ever happened to me, but it certainly wasn’t the end of the world. In this post, I want to share some important steps to take and things to keep in mind if and when you discover that your site has […] Continue reading »
Free and Open
The Web is a beautiful, incredible thing. It enables anyone with a connection to access an entire universe of human knowledge. The Web is like this because it is free and open. We the people built the Internet and it belongs to everyone. Each person may claim their own piece of the Internet, but no one person or group may claim ownership of its entirety. The Web Belongs to Everyone. If you feel the need to control or regulate something, […] Continue reading »
