** 7/15/08 Turn off the security script while you do the WP 2.6 update
** 7/25/08 I added a white list how to blog entry for those of you wanting to white list some ip numbers.
This is part 2 of a 3 part security suite for WordPress. This part blocks cross-site script attempts, ip numbers of ill behaved people and bots and bans bad user agents. Since trouble is always changing this plugin allows you to adjust who you want to block. I’ve started you out with every bad bot I caught on my site this past month. You can remove bots, add bots and add and remove ips and requests.
Many internet websites list bad bots, or you can just watch your access-logs to see who is causing problems on your site. Several tools for finding weaknesses in your WP to hack are blocked and you can add more to the list as new ones appear on the net.
Cross site scripting attacks often contain .txt? .txt?? .txt??? or ?_wp_http_referer in the request. If new cross site scripts show up, you can easily add them to the list.
Anyone who’s bot or request shows up on your black list has his ip automatically added to your blacklisted ip list.
This plugin creates a page under ‘Manage’. On it you can blacklist ip numbers, user agents, and requests that you don’t want on your site.
If you have the TTC User Registration Bot Detector installed, both plugins will use the same bad ip list to make things easier for you.
The management page will also give you a list of all attempts at registration and if they were bounced and why.
Download TTC WP Security plugin
You should also add an email address to the error page. Do not use your main email address. Just set up an extra email address and change the error page like so:
print “<html>\n”;
print “<head><title>Banned</title></head>\n”;
print “<body>\n”;
print “<h2>Banned: $blacklisted: $code</h2>\n”;
print “<p> Contact: <a href=\”mailto:timestocome@gmail.com\”>timestocome@gmail.com</a> if you have questions.”;
print “<p> Be sure to include your ip number “;
print “</body>\n”;
print “</html>\n”;
Or you can just totally customize the two error pages. One starts at line 145, the second at line 171. Look for “// print error page”
If you use quotes in your page for a link you must escape them. Use \” where you would normally use a ”
Part 1 - Block bots from registering on your blog
Part III Tripwire tells you which files have been recently altered
See also:
Requests I’m blocking for a current list of things to block
Bots I’m blocking for a current list of bots we block
Per request I added directions to send an HTTP Error code instead of an error page How to send an HTTP error code with PHP
More information:
Know your enemy: Web application threats
Secunia: Wordpress security vulnerabilites
SQL Injection Cheat Sheet
Google Online Security Blog
47 responses so far ↓
1 wangjel // Jun 16, 2008 at 10:41 am
ok so back again :d
i wanted to type just a word as creating a tag hacker
because i was writing an article about whats happenned i got banned :d
can you help me how to solve this?
please
greatings
wangjel
(at least i see how it is working
2 wangjel // Jun 16, 2008 at 10:45 am
solved
works great i love it as quickly works
:d
3 wangjel // Jun 16, 2008 at 10:57 am
ooook not solved i got backon ip blacklist
so i need that help i guess ihave to clean from the database?
4 ljmacphee // Jun 16, 2008 at 1:35 pm
Ok, give me a second - was busy writing code.
Did you get banned from your blog?
If so , yes, delete your ip from ip_banned table
5 ljmacphee // Jun 16, 2008 at 1:37 pm
Are you using a user agent that you have banned ?
Or are you making a request for a page you’ve banned?
You might want to check those lists.
6 ljmacphee // Jun 16, 2008 at 1:41 pm
Nothing you wrote in an entry will get you caught.
However, if you write a post title “green frogs”
Then you put “green” or “frog” on your request blacklist, then you and anyone else trying to access that entry will get banned.
7 ljmacphee // Jun 16, 2008 at 1:43 pm
You might try starting with these lists:
Bots I’m blocking
Requests I’m blocking
8 ljmacphee // Jun 16, 2008 at 1:45 pm
PS - Nice website design
9 wangjel // Jun 17, 2008 at 3:49 am
here i’m so thanks for visiting,
and for the plugin, it isjust great.
I have been looking around yesterday why thetrouble arrived and the global translation plugin cache folder was the problem, because before i installed the plugin the folder was closed but i had to open some of them to being able to create the folder for the cache pluginand theopen door was just ready.
yesterday i was getting banned and i had to delete the plugin to being able to login, so i guess i still have some little work to do, but anyway the most important is now the plugin is “on” all the three, i was updating the lists as you said,
and that is important, because at least the people can download the themes.
Really thanks a lot, be back today a bit later, we goout with the kids :d
(this is the only and first blog i ever subscribed!)
10 wangjel // Jun 17, 2008 at 3:56 am
not subscribed
registered
the first blog i registered, the only.
11 ljmacphee // Jun 17, 2008 at 7:53 am
Delete the 3 black list tables: ip, request, and user agent and the plugin.
It will re-install those 3 tables and a few defaults to give you an idea.
Then look at my current list and add to it.
If you look at your log tables before you delete them, you will see your ip number in the log files - see why it banned you and remove that item from its appropriate table.
12 ljmacphee // Jun 17, 2008 at 7:58 am
I found I was getting over 200 attempts at badness across my 8 blogs. I banned the worst 2 dozen or so ip numbers in .htaccess.
Now it is way down to a few attacks per blog per day.
I’ve also found that when you ban a bad user agent or request, something else often comes from that ip number in just a few seconds. Which is why the ip ban happens so fast.
13 wangjel // Jun 17, 2008 at 6:06 pm
here again kids sleep……
so what i find out is i’m using an ajax comment plugin, since i turn it off everything is ok i don’t get banned.(question: if it is banned me it is ban everybody who try to leave a comment?)
by the way it is visible the difference, the logs
“looks” much better, since i have been delete all the site all the database, all the files.
I didn’t had too much blogpost anyway. So i can start to design again :d
14 wangjel // Jun 17, 2008 at 6:37 pm
i don’t know may be this will sound stupid, i would be happy to offer some design to you to “say” thank you?
15 ljmacphee // Jun 17, 2008 at 7:58 pm
I don’t know, the other plugin should have had no influence on mine. Which one is it?
Anyone who was banned will be listed as a log entry. So you can see if it effected anyone else and just yank those ip numbers from the ip blacklist if so.
Thank you that is sweet, I may take you up on that in the future.
16 wangjel // Jun 18, 2008 at 4:01 am
it was the wp-Ajax Edit comments
17 wangjel // Jun 18, 2008 at 4:05 am
let ma see than if you say it can not be than look around, when i got banned it was in connection with the admin-ajax.php?
i got banned when i wrote a post and content of the text no problem, and when i wrote the tag, then whatever i wrote banned me
18 wangjel // Jun 18, 2008 at 4:08 am
yes i tried it now i typed in a new post, aperio and i got banned
19 wangjel // Jun 18, 2008 at 4:25 am
i restarted the adsl, and the comp. delete the IP adresses, and i tried to leave a comment, for example to use the same word, “aperio” no problems, but i guess if i try to add a tag (any tag) then ban it is becaue of this?
/wp-admin/admin-ajax.php?action=ajax-tag-search&q=ape
20 ljmacphee // Jun 18, 2008 at 1:00 pm
No, the program doesn’t look at your tags. It only looks at your user-agent, ip number and the request you make to the server.
Let me check out the plugin later today and see if I can see what is going on.
I’m using comments here and it’s running, I have tags on a few entries and it hasn’t been a problem.
I don’t use ajax or javascript plugins on any websites, I find them to be too unstable, but I can test it on my home set up and see if I can find out what is going on.
21 wangjel // Jun 18, 2008 at 2:11 pm
yes than i will come back to see what you find out.
can i ask you what do you mean ajax and javascript unstable
22 ljmacphee // Jun 18, 2008 at 3:22 pm
Ajax and Javascript work different on many browsers. So If you don’t write proper code for each browser and id each browser you can get into trouble.
That ajax file is part of Wordpress though.
It just banned me for tags too - investigating.
23 ljmacphee // Jun 18, 2008 at 3:24 pm
OK, I see -
In the request list remove the line that says
admin-ajax.php?
And all will be well.
I just hadn’t used any tags since I added that to the list. Sorry.
24 wangjel // Jun 19, 2008 at 2:22 am
when i post i remove it andwheni’m finished i put it back, iguess youhad areason why you was putting it there, and i cheked if the visitors can leave a comment if the ajax-comment-plugin is on, and if the admin-ajax.php is in the list……they can, so i prefer to live it in the list, a little extra security is good for the health
i use lightbox javascript, and this ajax comment plugin, and about browsers, IE is theonly browser try to make history, the rest is a
25 wangjel // Jun 19, 2008 at 2:31 am
………lmost always work well for me.
with little differencies, but they work.
by the way i use woopra, and i see not too many people use IE, i guess it is just an illusion, because it is installed on the PCs by default and everybody lazy to uninstall, but analytics of real visitors say on mys sites only 3% of users come with IE.
26 ljmacphee // Jun 19, 2008 at 7:45 am
I put it there because I saw users other than me trying to access it. But I took out that line. You have to keep something usable when you make it secure. If it’s not usable then that’s not good. No security is fool proof. Find a balance that works for you - that’s why the tool is adaptable.
I find IE visitors range from 20% on my technical sites to 90% on my gardening and houseplant sites. Depends on the crowd, but 3% is awful low.
That Woopra looks like a great tool, I hadn’t seen it before.
27 wangjel // Jun 19, 2008 at 12:38 pm
for the moment i let that “ajax” in there untill i understand more about the plugin and those guys, does not limit the users, so i prefer to learn peacfully
yes woopra is great and about the analytics, iguess you are right because there are millions of users who do not know, or want to know about sophisticated problems, sotheyuse what is insta
28 wangjel // Jun 19, 2008 at 12:44 pm
lled on the computer,
i would be very happy to see a program created to easy use but for servers, i guess that would be a very happy tool to see who is coming around.
29 ljmacphee // Jun 19, 2008 at 4:18 pm
I have the Woopra bookmarked, as soon as I get a couple of free minutes I’m going to try it.
No, most people don’t want to know more, and that’s ok. Me, however I want all the information I can stuff in my head. Should’ve been a robot I guess?
30 tygern8r // Jun 19, 2008 at 6:54 pm
Thanks for the tools. These look great. I’ve been using a combination of FireStats, Ban, Karma and Bad Behavior. Oh and don’t forget the original .htaccess mods, but found that to be too time consuming and seemingly not really effective. Your tool looks like it will let me lean out the plugin herd a bit. Thanks again.
31 ljmacphee // Jun 19, 2008 at 8:42 pm
You’re welcome.
It became too time consuming for me also, and I wanted some tools that were more flexible.
I hope you find them useful also.
32 wangjel // Jun 20, 2008 at 10:41 am
It is a responsible position to create broswers to people who don’t want to know? to imagine happy ways………i mean the new beta of AT&T the “Pogo” on Pogobrowser dot com is one of that happy way.
33 ljmacphee // Jun 20, 2008 at 12:43 pm
I check all the browsers I don’t know.
If they do anything they should not, or if they are listed as a problem on other websites or if they try to hide who they are I block them.
I think it is is irresponsible.
Most browsers that are legit have a website and or email contact.
34 wangjel // Jun 21, 2008 at 2:09 am
if you mean the “pogo” it is still in beta, and you can find it on pogobrowser.com
i guess they will invite you to test it you do important work so….
and there are some aplications (i would not call them browser) like “piclens”, and Spacetime, this two is maybe the most used,
and piclens have to be installed in the sites to “enable” and i don’t know about that if that is not a possible “backdoor” (i hope it is the good expression)
have a great saturday!
Wangjel
35 ljmacphee // Jun 21, 2008 at 8:17 am
Usually it is easy to tell the browsers for humans from the bots. The browsers download style sheets, the bots do not.
There is quite a bit of controversy over toolbar addins, esp AVG, right now. I usually leave them be.
There are some cool things coming and bubbling up from deep in the net. I wouldn’t install anything for browsers on my site if I couldn’t review the code. And even then I still might not. But to each his own.
A back door is a problem, but more likely incompetence would be the problem. Far more likely it would be an unintentional security hole rather than intentional.
36 brucesilver // Jul 10, 2008 at 6:00 pm
Just want to thank you for this. Probably my most useful plugin of all! I am amazed at all the bad guys that try to get into my little blog every day. If real users get banned they email me - e.g. re-registered instead of lost password link - and that is so rare. But the bots just keep banging away constantly.
37 ljmacphee // Jul 10, 2008 at 6:37 pm
You’re welcome!
After the Coppermine install got hacked I got totally paranoid about the websites and couldn’t find what I wanted.
I’m hoping because this is adjustable by each webmaster will find it useful in a way that suits him/her as to how strict each one wants to be.
38 brucesilver // Jul 10, 2008 at 7:25 pm
I’m not a webmaster, just a typical ignorant blogger - most of us have no webmaster to lean on! That’s why your doing it as a no-brainer plugin is so great. Thanks again.
39 brucesilver // Jul 18, 2008 at 3:46 pm
Your plugin is working great, stopping 20-30 requests per day, with over 100 banned ips in just a couple weeks. The biggest problem I have now is spam emails to me via my Contact page. They all come from Google notebook. Any way to kill these as well?
40 ljmacphee // Jul 18, 2008 at 6:37 pm
That’s the first I’ve heard of that. Nice to be on the bleeding edge, eh?
I don’t know but will try to look into that over the weekend. Thanks for the tip.
I’ll post a note back here if I find out anything useful.
41 brucesilver // Jul 19, 2008 at 3:06 pm
thank you. I probably get 30-50 a day, just gibberish with links to google/notebook pages. Can you distinguish between a bot submitting on contact page and a person doing the same?
42 ljmacphee // Jul 19, 2008 at 5:03 pm
I sent you an email with information on what we can and can’t do and what I need for information to help you.
43 ljmacphee // Jul 25, 2008 at 8:32 am
I also created a blog entry with the directions and php code to do a white list here: white list how to for ttc-security plugin
If anyone has questions be sure to comment. I’ll be happy to help.
44 jmanpa // Aug 5, 2008 at 10:49 pm
I had to remove the plugin. I had been using for weeks and was blacklisted about 5 times during that time and couldn’t get into my own blog all those times. Then my regular visitors were being blacklisted by the dozens. Not a good thing when your site is mentioned in WSJ.com and large amounts of your user base can’t get in. Once in a lifetime chance and block, block, block.
45 ljmacphee // Aug 6, 2008 at 9:03 am
So why didn’t you just remove the user-agent or request from the black list that was blocking you?
That is why it is all user adjustable.
46 jmanpa // Aug 10, 2008 at 9:45 pm
While your plugin looks very sophisticated and flexible, I have sent you request types to remove before, which you graciously did from the master list.
However, I cannot have a tool for which I am a guinea pig for what should be in the list and what is not.
A Wordpress admin has a standard list of requests that they will need to do the job. I can’t afford to help you build that list by getting blocked from my own site and sending you the request type.
I can’t have my users blocked and then send you those requests. They are not doing anything unusual - just reading content.
I think you have a good thing with this plugin. Your request and agent lists need to be tested out before releasing broadly. A beta period might be warranted.
47 ljmacphee // Aug 10, 2008 at 10:00 pm
What you should be doing is blocking bots and requests that are a problem on your blog.
This is a list of bots and requests that are trouble on my blogs. These are all tested on my blogs for a week before I post them. I can not possibly check every possible plugin/set up on every version of Wordpress. That’s why I made it so insanely easy for the user to adjust the lists.
If something does not work for you remove it.
If you don’t like the plugin - don’t use it.
I wrote this for myself. I then altered it so it would be easy for others to use because I think non-technical users like yourself should be able to protect your websites.
So I suggest you write your own damn security plugin and quit whining if you don’t like mine.
You must log in to post a comment.