Ill requests and malicious scans have been spiking recently, to the point where server performance was really taking a hit. One scan in particular hammered the server with thousands of bad requests in just a few minutes. There are people out there with strong scripts and small minds that are constantly scanning sites for vulnerabilities, and much of what I’ve seen is aimed primarily at WordPress.
That sort of mindless phishing and scanning for crumbs and holes is just silly. So I whipped up this WordPress add-on for the 5G Blacklist, for those who are using it. For those who aren’t but are using WordPress, this add-on works perfectly well on its own — i.e., you don’t need the 5G to use it.
5G WordPress Add-on
5G WP add-on is designed to help protect your site against a broad spectrum of bad URL requests, focusing on the latest wave of malicious server scans. Simply copy/paste the following code into your site’s root .htaccess file (beneath the 5G, if present):
# 5G:[WordPress] <ifModule mod_rewrite.c> RedirectMatch 403 /\$\& RedirectMatch 403 (?i)/\&(t|title)= RedirectMatch 403 (?i)/\.(bash|git|hg|log|svn|swp|tar) RedirectMatch 403 (?i)/(1|contact|i|index1|iprober|phpinfo|phpspy|product|signup|t|test|timthumb|tz|visit|webshell|wp-signup).php RedirectMatch 403 (?i)/(author-panel|class|database|manage|phpMyAdmin|register|submit-articles|system|usage|webmaster)/?$ RedirectMatch 403 (?i)/(=|_mm|cgi|cvs|dbscripts|jsp|rnd|shadow|userfiles) </ifModule>
No editing is required up front, but you may need to fine-tune depending on which plugins, themes you may be using. For example, if the XYZ widget suddenly stops working, remove the 5G add-on from your .htaccess file and either 1) walk away, 2) test further and remove the offending character string. If all else fails, leave a comment and someone will try to help.
I can only do so much testing, so if you notice anything weird or if something breaks, leave a comment or send an email — your feedback will help make the 5G add-on even better.
How it works, what it does
Once the code is in place, all URL requests are checked against each of the character strings. For example, let’s say some scumbag attacks your site (as they did with mine recently) with a barrage of random strings:
http://example.com/tag/icons/rndWRr8VfM0B http://example.com/tag/icons/rndqyG87KROd http://example.com/tag/icons/rnd2JSAL4n8a http://example.com/tag/icons/rndA52wTv0ma http://example.com/tag/icons/rndUDESMbgRC http://example.com/tag/icons/rndy24JOTQrN http://example.com/tag/icons/rndCHSkcgPNP http://example.com/tag/icons/rndXd9XF8il5 http://example.com/tag/icons/rndUFvb60VNk http://example.com/tag/icons/rndBCvCRsKnB . . .
The 5G directives check the URLs and match them against the “
/rnd” character string, and then silently blocks the entire swarm from accessing your site. And that’s just one of many bad requests that are blocked, here’s a list showing some of the other requests blocked by the 5G add-on.
For whatever reason, those phrases, files, and directories are among the most heavily scanned-for resources in recent months. The 5G WP add-on aims to neutralize this new wave of attacks by working with the 5G Blacklist, but is also effective as stand-alone protection for your WordPress-powered site.