WordPress Security Plugin - block scrapers, hackers, and more

** 2/17/09 2.0 is the current version 0

I changed the ip checking part of the plugin so you can now block multiple ip numbers, not just individual ips.  Just add the ip blocks to your list like this:

to block 225.255.255.0 to 225.255.255.255

add

225.255.255.

You can also block everything from 225.255.0.0 to 225.255.225.225

225.225.

and

225. blocks everything beginning with 225.

It is good to end each number ( except the last ) with a dot like so:

225.

If you just put 150.15  you block every thing from 150.15.x.x to 150.151.x.x, 150.152.x.x. &c

** 2/1/09 1.10 is the current version -

** 12/24/08 Some IE users were having problems seeing log files in WP 2.7 so changed formatting

** 7/15/08 Turn off the security script while you do the WP 2.6 update
** 7/25/08 I added a white list how to blog entry for those of you wanting to white list some ip numbers.

This is part 2 of a 3 part security suite for WordPress. This part blocks cross-site script attempts, ip numbers of ill behaved people and bots and bans bad user agents. Since trouble is always changing this plugin allows you to adjust who you want to block. I’ve started you out with every bad bot I caught on my site this past month. You can remove bots, add bots and add and remove ips and requests.

Many internet websites list bad bots, or you can just watch your access-logs to see who is causing problems on your site. Several tools for finding weaknesses in your WP to hack are blocked and you can add more to the list as new ones appear on the net.

Cross site scripting attacks often contain .txt? .txt?? .txt??? or ?_wp_http_referer in the request. If new cross site scripts show up, you can easily add them to the list.

Anyone who’s bot or request shows up on your black list has his ip automatically added to your blacklisted ip list.

This plugin creates a page under ‘Manage’. On it you can blacklist ip numbers, user agents, and requests that you don’t want on your site.

If you have the TTC User Registration Bot Detector installed, both plugins will use the same bad ip list to make things easier for you.

The management page will also give you a list of all attempts at registration and if they were bounced and why.

Download TTC WP Security plugin

You should also add an email address to the error page. Do not use your main email address. Just set up an extra email address and change the error page like so:


print “<html>\n”;
print “<head><title>Banned</title></head>\n”;
print “<body>\n”;
print “<h2>Banned: $blacklisted: $code</h2>\n”;
print “<p> Contact: <a href=\”mailto:timestocome@gmail.com\”>timestocome@gmail.com</a> if you have questions.”;
print “<p> Be sure to include your ip number “;
print “</body>\n”;
print “</html>\n”;


Or you can just totally customize the two error pages. One starts at line 145, the second at line 171. Look for “// print error page”

If you use quotes in your page for a link you must escape them. Use \” where you would normally use a ”

Part 1 - Block bots from registering on your blog

Part III Tripwire tells you which files have been recently altered

See also:
Requests I’m blocking for a current list of things to block
Bots I’m blocking for a current list of bots we block
Per request I added directions to send an HTTP Error code instead of an error page How to send an HTTP error code with PHP

More information:
Know your enemy: Web application threats
Secunia: Wordpress security vulnerabilites
SQL Injection Cheat Sheet
Google Online Security Blog

59 Comments

  • kokopelli

    Thanks for the nice plugin.

    I’ve added the whitelist code and was wondering if I could use IP ranges or wildcards, instead of a long list of IP addresses?

    For example, I want to whitelist Yahoo and they use the following IPs:
    69.147.90.101
    69.147.90.41
    69.147.90.42
    69.147.90.43
    69.147.90.59
    69.147.90.60
    69.147.90.61
    69.147.90.62

    So, can I just use
    69.147.90.*
    or
    69.147.90.
    instead?

    And will this also work for blacklisting?

  • ljmacphee

    It is not written that way, but you should be able to trivially hack it to do so.

    On the white list I do an exact compare. You change the white list to be strpos like I use in the agent black list section. strpos will find substrings.

    On the ip black list I use strpcasecmp, you can change that also to strpos.

    Then you can use ip numbers like 67.2. but leave off wild cards.

    So rewrite the banned agent code and use it to check for blacklisted and use strpos to check your white list.

    The flaw is this.

    Suppose you wish to ban 69.147.*

    You check for 69.147.
    But 127.69.147.3 will also give a positive.

    PHP String functions

    You can try substr_compare(0), I haven’t tried that. Or you can try stripos() or stristr() and check that it is the beginning of string rather than middle that match is found.

    So if you want to play with the code a bit, and I strongly encourage that, yes, it shouldn’t be difficult.

    The other concern is each string function is computationally intensive, some more than others. Because this plugin runs on every page load, the time it takes to do anything is very critical.

    Are you comfortable hacking PHP code?

  • kokopelli

    Rather not going to mess with the code (further) … I’ll just add all the whitelisted IPs manually for now.

    A backend IP whitelist function (as well as he ability to ban/whitelist IP ranges, wildcards or even netblocks) would be nice though [hint] :)

  • ljmacphee

    I’ll think about it, 3 db calls are already insanely expensive, rather not make a 3rd one.

    Next time I get a chance will have a look, but it won’t be this week.

  • Shackbase

    Hi Linda,

    I am a huge fan of your scripts, thank you for making them public.

    I do however, have an issue, apparently technorati is blocked and consequently lists my site OOglebreak.com as “I am sorry but you look like a bot” :/

    I have removed the IP listed in the blacklist, where can I find the whitelist?

    I would really like the ability to add ips to a whitelist in the backend, but just being able to add it to the code itself is fine to me too.

    Thank you,
    Tony

    IP: 208.66.64.4 February 12 2009 14:56:04
    Request: /
    Code: On our ip blacklist
    Accept:
    Agent: Technoratibot/0.7

  • ljmacphee

    I didn’t want to make another database call. There are directions here

    http://herselfswebtools.com/2008/07/how-to-add-a-white-list-to-the-ttc-security-plugin.html

    Let me know if you have any questions, but I think it is very straightforward.

  • buzz_lightyear

    Hi Linda,
    thanx for this nice plugin, however i was getting error in syslog:
    Apr 29 10:27:46 buzzdev apache2: WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 for query SELECT ip, problem, accept, agent, request, date_format( day, '%M %d %Y %H:%i:%s') AS time_stamp FROM wp_1_ttc_security_log ORDER BY day DESC LIMIT made by require_once, do_action, call_user_func_array, ttc_add_user_security_menu
    Where there was no value coming for the LIMIT from the form, when you don’t say the # of log entries to show.

    I “fixed” it for myself by:
    $log_count = 25;

    // if ( $_POST['submit_check'] == 1 ){
    // $log_count = $_POST['log_lines'];
    // }

    if ( $_POST['log_lines'] != ” ){
    $log_count = (int)$_POST['log_lines'];
    }

    I couldn’t figure out, how that “submit_check” field is supposed to be used ;)

    thanx

  • ljmacphee

    Thx, I’m out now, will check on it as soon as I get back to my office.

  • ljmacphee

    submit_check is used to tell php that the form has been changed/updated etc ( see the form where we ask user how many form entries are desired lines 378-385)

    That is in there to prevent the form from submitting null values.

    Setting the count to a constant as you’ve done will work just fine also.

You must be logged in to post a comment.