Book Sale! Save 20% on WordPress books with discount code: SAVE20
Web Dev + WordPress + Security

WordPress Add-on for 5G Blacklist

Ill requests and malicious scans have been spiking recently, to the point where server performance was really taking a hit. One scan in particular hammered the server with thousands of bad requests in just a few minutes. There are people out there with strong scripts and small minds that are constantly scanning sites for vulnerabilities, and much of what I’ve seen is aimed primarily at WordPress.

That sort of mindless phishing and scanning for crumbs and holes is just silly. So I whipped up this WordPress add-on for the 5G Blacklist, for those who are using it. For those who aren’t but are using WordPress, this add-on works perfectly well on its own — i.e., you don’t need the 5G to use it.

5G WordPress Add-on

5G WP add-on is designed to help protect your site against a broad spectrum of bad URL requests, focusing on the latest wave of malicious server scans. Simply copy/paste the following code into your site’s root .htaccess file (beneath the 5G, if present):

# 5G:[WordPress]
<ifModule mod_rewrite.c>
 RedirectMatch 403 /\$\&
 RedirectMatch 403 (?i)/\&(t|title)=
 RedirectMatch 403 (?i)/\.(bash|git|hg|log|svn|swp|tar)
 RedirectMatch 403 (?i)/(1|contact|i|index1|iprober|phpinfo|phpspy|product|signup|t|test|timthumb|tz|visit|webshell|wp-signup).php
 RedirectMatch 403 (?i)/(author-panel|class|database|manage|phpMyAdmin|register|submit-articles|system|usage|webmaster)/?$
 RedirectMatch 403 (?i)/(=|_mm|cgi|cvs|dbscripts|jsp|rnd|shadow|userfiles)
</ifModule>

No editing is required up front, but you may need to fine-tune depending on which plugins, themes you may be using. For example, if the XYZ widget suddenly stops working, remove the 5G add-on from your .htaccess file and either 1) walk away, 2) test further and remove the offending character string. If all else fails, leave a comment and someone will try to help.

I can only do so much testing, so if you notice anything weird or if something breaks, leave a comment or send an email — your feedback will help make the 5G add-on even better.

How it works, what it does

Once the code is in place, all URL requests are checked against each of the character strings. For example, let’s say some scumbag attacks your site (as they did with mine recently) with a barrage of random strings:

http://example.com/tag/icons/rndWRr8VfM0B
http://example.com/tag/icons/rndqyG87KROd
http://example.com/tag/icons/rnd2JSAL4n8a
http://example.com/tag/icons/rndA52wTv0ma
http://example.com/tag/icons/rndUDESMbgRC
http://example.com/tag/icons/rndy24JOTQrN
http://example.com/tag/icons/rndCHSkcgPNP
http://example.com/tag/icons/rndXd9XF8il5
http://example.com/tag/icons/rndUFvb60VNk
http://example.com/tag/icons/rndBCvCRsKnB
.
.
.

The 5G directives check the URLs and match them against the “/rnd” character string, and then silently blocks the entire swarm from accessing your site. And that’s just one of many bad requests that are blocked, here’s a list showing some of the other requests blocked by the 5G add-on.

For whatever reason, those phrases, files, and directories are among the most heavily scanned-for resources in recent months. The 5G WP add-on aims to neutralize this new wave of attacks by working with the 5G Blacklist, but is also effective as stand-alone protection for your WordPress-powered site.

Jeff Starr
About the Author
Jeff Starr = Creative thinker. Passionate about free and open Web.
BBQ Pro: The fastest firewall to protect your WordPress.

33 responses to “WordPress Add-on for 5G Blacklist”

  1. Does this conflict with your plugin Block Bad Queries?

  2. Excellent!
    Thank you Jeff!!

    I’ll let you know if I ffind anything that it interferes with.
    Ken

  3. Thanks Jeff!

    1) Your new website design with the red color splash is very confusing. Please change it back :)

    2) Could you write an article about htaccess security and explain how you’ve setup your htaccess.

    Cheers

  4. Thanks Jeff, works for me :)

  5. thanks, often update your blog recently :)

    • Jeff Starr
      Jeff Starr 2012/04/20 8:13 am

      Yes, it’s taken some time to reorganize my life, but now that it is, I’m in full gear and just getting started :)

  6. Jeff you’re a star!

    I don’t run WP, but I do get a lot of malicious WP string requests, so hopefully this should kick those into touch.

    Cheers
    I

  7. Great, working perfectly. Excellent as always…

  8. Hi Jeff, thanks for this.

    I also think it will be of use for non WP sites. In fact, my current visit to Perishablepress was to see if there was a reason why “phpmyadmin” wasn’t included in 5G blacklist.

    Recently I’ve started to get a surge in “requests” for “translators.html” and have added this to my own sites’ htaccess blacklists.

  9. Sorry Jeff, should also mentioned:

    Your WP blacklist checks for “phpMyAdmin”. As I understand it RedirectMatch is case sensitive so it wouldn’t block “phpmyadmin” (all lowercase) which I recollect seeing on old logs for my site. I ‘m no expert, is my understanding right?

    • Jeff Starr
      Jeff Starr 2012/04/20 8:18 am

      Excellent point – I’ll be updating the WP add-on today, will try to account for variations in casing for phpMyAdmin. Also have some other minor tweaks that I think will help. Stay tuned!

    • Jeff Starr
      Jeff Starr 2012/04/20 9:57 am

      I’ve updated the add-on, which is now case-insensitive, plus also added some new patterns for further protection. Thanks for the suggestion :)

  10. Great job, man. Thanks a lot! :)

    One question though, should I place this add-on inside # 5G:[REQUEST STRINGS] between the IfModule tags or below them just as pasted in this post, without IfModule.

    I know, it’s probably a stupid question. :)

    • Jeff Starr
      Jeff Starr 2012/04/20 8:06 pm

      Good question.. I was a little hasty in posting the article — should’ve taken more time with the code syntax and formatting.

      So thank you, the WP add-on now includes the IfModule container, and works great when included as-is after the 5G or at the end of your .htaccess file.

  11. THanks Jeff

  12. Doug Smith 2012/04/24 6:44 am

    Thanks, Jeff. These rules hit some of the stuff I had been adding in regularly along with several more, so that’s quite helpful.

    The other things I’ve been seeing a lot lately are constant probes for vulnerable WordPress plugins by searching for the readme file and looking for temp or cache data plugins leave around. I use the following rules to take care of most of that.

    RedirectMatch 403 /wp-content/(plugins|themes|uploads)/.+/(cache|temp)/
    RedirectMatch 403 /wp-content/plugins/.+/readme.txt

    • Jeff Starr

      Good call. I’ve seen a lot of temp/cache requests as well, and will be integrating some defense into the upcoming 6G. It is careful work, however, as the scanners are looking for the types of directories (cache, temp, etc) that are actually used in some themes, plugins, and so on. It’s a trade-off of sorts, between false positives and effectiveness. Perfect example of why customizing these sorts of blacklists is recommended.

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
WP Themes In Depth: Build and sell awesome WordPress themes.
Thoughts
Our neighbor just lets their little rat dog bark incessantly 24/7. Endless barking for the whole neighborhood.
Loving Waterfox, my new favorite browser for general surfing and playing on teh Web.
Avoiding Amazon until they stop forcing 2-factor authentication. Frustrating waste of time. Make it optional imbeciles.
Today my trusty scanner died. Not going to replace it. And when my printer finally dies, I'm not going to replace that either.
Spent about a week or so away from screens and media as much as possible. Helps to regain perspective.
Celebrating 8 years providing premium WordPress plugins at Plugin Planet!
Power is *not* relying on a 3rd-party service to handle your email.
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.