Save 10% on our Pro WordPress plugins with discount code: 10PERCENT
Web Dev + WordPress + Security

404 Fix: Block Nuisance Requests for Non-Existent Files

[ Han Solo shutting up C-3PO in Empire Strikes Back ]

As I’ve written before, blocking nuisance requests can help save you money by cutting down on wasted server resources, memory, and so forth. It also saves you time, as your server access and error logs won’t be full of nuisance request spam. So you will have more resources and time for things that matter, like running your business, helping customers, improving code, etc. So to continue the proud tradition of blocking malicious traffic, this post builds upon previous blocking techniques […] Continue reading »

Blocking the “ReallyLongRequest” Bandit

[ Sneaky Bandit ]

While browsing server logs, I kept seeing these super long request URIs that begin with “YesThisIsAReallyLongRequest…” and then the request string just keeps going for like 1 kilobyte worth of characters. Not just a few times, but many. In other words, somebody is going around and repeatedly hitting servers with gigantic-size requests. Probably to test server response using other people’s servers. Ummm, yeah kinda malicious. So I did some research and then blocked the “ReallyLongRequest” Bandit. Continue reading »

Blackhole for Bad Bots – Quick Start

[ Black Hole (Figurative) ]

Welcome to the Quick Start Guide for the standalone PHP version of Blackhole for Bad Bots. This post basically is a condensed summary of the original Blackhole tutorial. So if you are new to the concept of blocking bad bots, check out the original tutorial. Otherwise, for those that are familiar, the following guide should simplify things and help you get started with Blackhole as quickly as possible. Continue reading »

Detect Attacks with PHP and .htaccess

This tutorial explains how to detect and block security threats via .htaccess, and then pass that information to a PHP script for further processing. This is a powerful technique that combines the power of Apache with the flexibility of PHP. Enabling you to do things like log all unwanted traffic, send email reports for blocked requests, create a UI to display logged data, and just about anything else you can imagine. It’s an excellent way to keep a close eye […] Continue reading »

Examples of Nested Encoding

Typically malicious scans use some sort of encoding to obscure their payloads. For example, instead of injecting a literal script, the attacker will run it through a PHP encoding function such as base64_encode(), utf8_encode(), or urlencode(). So if and when you need to decode some discovered payload, you can use whichever decoding function will do the job. For example, base64_decode(), utf8_decode(), or urldecode(). Sounds straightforward, but let’s dig a little deeper.. Continue reading »

Block Greasy Uploads Scanner

Whether you’re running WordPress or not, your site may be getting hit by endless scanning for your site’s uploaded files and similar nonexistent resources. Specifically, the “Greasy Uploads Scanner” endlessly scans sites for nonexistent resources in the /uploads/ directory, even if the directory itself doesn’t exist. Just mindless scanning for all sorts of weird files. It steals your server resources and threatens your site security. We hates them. And we wants to block them. Continue reading »

How to Block Bad Bots

Suffering from spammers, content scrapers, bandwidth leeches, and other bad bots? Got some loser stalking your chat forum? Site getting scanned by endless malicious requests? In this tutorial, you’ll learn how to block bad bots and users with minimal effort. Keeping the trash away from your site is gonna free up valuable server resources, conserve bandwidth, and improve the overall security and quality of your site. Continue reading »

Block Proxy Visits with PHP

[ Block Proxy Visits with PHP ]

I wrote recently about how to block proxy visits with WordPress. That article provides a simple, plug-&-play script that you can drop into WordPress-powered site. This article goes further with two effective techniques for blocking proxy visits to your site using only a few lines of PHP. These techniques work for any PHP-enabled site, including WordPress, Drupal, Joomla, and many others. And they’re both easy to implement. Just a few minutes and your site can be relatively free of most […] Continue reading »

Worst IPs: 2016 Edition

[ Worst IPs: 2016 Edition ]

A little late this year, but following tradition here is my list of the absolute worst IP addresses from 2016. All in nice numerical order for easy crunching. These IPs are associated with all sorts of malicious activity, including exploit scanning, email harvesting, brute-force login attacks, referrer spam, and everything in between. Really obnoxious stuff that degrades your site’s performance and potentially threatens security. Continue reading »

.htaccess Cleanup

Once again I am cleaning up my sites’ .htaccess files. I do this from time to time to remove old redirects, refresh blacklists, and update security and SEO-related directives. It’s tedious work, but the performance and security benefits make it all worthwhile. This post shares some of the techniques that were added, removed, or replaced from .htaccess, and explains the reasoning behind each decision. I do this for the sake of reference, and hopefully it will give you some ideas […] Continue reading »

WordPress Block Proxy Visits

I’ve covered a lot of techniques for controlling proxy access. And I’m not done yet. This post expands on the block tough proxies technique by making it plug-&-play with WordPress. Continue reading »

Lynda.com Course: Developing Secure WordPress Sites

[ WordPress: Developing Secure WordPress Sites ]

After months of preparation and production, my new video course on developing secure WordPress sites is now available at Lynda.com. This is my second video course on securing WordPress; the first one was originally launched in 2011 and remained in Lynda’s library for over five years. I received a lot of great feedback on the course, and so I jumped on the opportunity to do another one. If there is one thing that I enjoy doing, it’s helping people with […] Continue reading »

Block nuisance requests for .well-known, apple-app, etc.

[ Block Nuisance Requests ]

Anyone who is paying attention to their server access and error logs has probably noticed that Google and other bots have been making endless requests for .well-known, apple-app-site-association, and various related files. This quick post explains how to save some server bandwidth and resources by blocking such repetitive requests, and also looks at a related problem with certain search engines <cough> not respecting a standard “410 Gone” server response. Continue reading »

Stop User Enumeration in WordPress

[User Enumeration ]

This tutorial explains how to block user-enumeration scans in WordPress. As explained in greater depth here, user enumeration happens when some malicious script scans a WordPress site for user data by requesting numerical user IDs. For example, requests for author=1 through some number, say, author=1000, may reveal the usernames for all associated users. With a simple enumeration script, an attacker can scan your site and obtain a list of login names in a matter of seconds. Continue reading »

They’re Scanning for Your Backup Files

[ Scanning for Backup Files ]

Just a reminder to keep your backup files offline. Do not store them in any publicly accessible space. It’s just not worth the risk man. And if you’re working online, you should know this already. If not, then continue reading to learn why it’s absolutely mission critical. Continue reading »

Brute-Force Login Drip Attack

[ Brute-Force Login Drip Attack ]

I’ve been noticing a new strategy for brute-force login attacks: the slow, incremental “drip” attack. Instead of slamming a login page with hundreds or thousands of brute-force login attempts all within a few minutes, some attackers have been taking a more low-key approach by slowing down the rate of login attempts in order to bypass security measures. The “drip” brute-force attack is extremely annoying, and possibly dangerous if any of your registered users are using weak login credentials. This article […] Continue reading »

Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
USP Pro: Unlimited front-end forms for user-submitted posts and more.
Thoughts
LinkedIn decided to replace my popular video course on WordPress security. For a limited time the course is available to *logged-in* users via direct URL.
I enjoy listening to original Star Trek and NG episodes while working online. After a while it feels like I’m working on the ship as part of the crew, going on adventures.
New version (2.6) of my shapeSpace starter theme now available! Always free & open source for everyone :)
Finished updating all of my books! As always, book owners can download the latest versions for FREE :)
W3C.org has a very thorough list of accessibility tools.
The more you wake up, the more you realize you are still asleep.
7G Firewall v1.4 now available!
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.