WordPress Security Plugin – block scrapers, hackers, and more
** 12/20/09 Two updates, the first one is a fix, the second makes some speed improvements and makes the plugin a bit more SEO friendly. Bots now get re-directed to main page of your site instead of an error page.
There are directions in the plugin in case you’d rather direct bots to an error page.
And many thanks to Elites0ft.com who took the time to point out a flaw to me so I could get it rapidly patched and out the door. Check them out if you are looking for web security, seo or web development help.
I changed the ip checking part of the plugin so you can now block multiple ip numbers, not just individual ips. Just add the ip blocks to your list like this:
to block 225.255.255.0 to 225.255.255.255
add
225.255.255.
You can also block everything from 225.255.0.0 to 225.255.225.225
225.225.
and
225. blocks everything beginning with 225.
It is good to end each number ( except the last ) with a dot like so:
225.
If you just put 150.15 you block every thing from 150.15.x.x to 150.151.x.x, 150.152.x.x. &c
** 2/1/09 1.10 is the current version –
** 12/24/08 Some IE users were having problems seeing log files in WP 2.7 so changed formatting
** 7/15/08 Turn off the security script while you do the WP 2.6 update
** 7/25/08 I added a white list how to blog entry for those of you wanting to white list some ip numbers.
This is part 2 of a 3 part security suite for WordPress. This part blocks cross-site script attempts, ip numbers of ill behaved people and bots and bans bad user agents. Since trouble is always changing this plugin allows you to adjust who you want to block. I’ve started you out with every bad bot I caught on my site this past month. You can remove bots, add bots and add and remove ips and requests.
Many internet websites list bad bots, or you can just watch your access-logs to see who is causing problems on your site. Several tools for finding weaknesses in your WP to hack are blocked and you can add more to the list as new ones appear on the net.
Cross site scripting attacks often contain .txt? .txt?? .txt??? or ?_wp_http_referer in the request. If new cross site scripts show up, you can easily add them to the list.
Anyone who’s bot or request shows up on your black list has his ip automatically added to your blacklisted ip list.
This plugin creates a page under ‘Manage’. On it you can blacklist ip numbers, user agents, and requests that you don’t want on your site.
If you have the TTC User Registration Bot Detector installed, both plugins will use the same bad ip list to make things easier for you.
The management page will also give you a list of all attempts at registration and if they were bounced and why.
Download TTC WP Security plugin
You should also add an email address to the error page. Do not use your main email address. Just set up an extra email address and change the error page like so:
print “<html>\n”;
print “<head><title>Banned</title></head>\n”;
print “<body>\n”;
print “<h2>Banned: $blacklisted: $code</h2>\n”;
print “<p> Contact: <a href=\”mailto:timestocome@gmail.com\”>timestocome@gmail.com</a> if you have questions.”;
print “<p> Be sure to include your ip number “;
print “</body>\n”;
print “</html>\n”;
Or you can just totally customize the two error pages. One starts at line 145, the second at line 171. Look for “// print error page”
If you use quotes in your page for a link you must escape them. Use \” where you would normally use a ”
Part 1 – Block bots from registering on your blog
Part III Tripwire tells you which files have been recently altered
See also:
Requests I’m blocking for a current list of things to block
Bots I’m blocking for a current list of bots we block
Per request I added directions to send an HTTP Error code instead of an error page How to send an HTTP error code with PHP
More information:
Know your enemy: Web application threats
Secunia: Wordpress security vulnerabilites
SQL Injection Cheat Sheet
Google Online Security Blog
61 Responses to 'WordPress Security Plugin – block scrapers, hackers, and more'
Leave a Reply
You must be logged in to post a comment.
ok so back again :d
i wanted to type just a word as creating a tag hacker
because i was writing an article about whats happenned i got banned :d
can you help me how to solve this?
please
greatings
wangjel
(at least i see how it is working
wangjel
16 Jun 08 at 10:41 am
solved
works great i love it as quickly works
:d
wangjel
16 Jun 08 at 10:45 am
ooook not solved i got backon ip blacklist
so i need that help i guess ihave to clean from the database?
wangjel
16 Jun 08 at 10:57 am
Ok, give me a second – was busy writing code.
Did you get banned from your blog?
If so , yes, delete your ip from ip_banned table
ljmacphee
16 Jun 08 at 1:35 pm
Are you using a user agent that you have banned ?
Or are you making a request for a page you’ve banned?
You might want to check those lists.
ljmacphee
16 Jun 08 at 1:37 pm
Nothing you wrote in an entry will get you caught.
However, if you write a post title “green frogs”
Then you put “green” or “frog” on your request blacklist, then you and anyone else trying to access that entry will get banned.
ljmacphee
16 Jun 08 at 1:41 pm
You might try starting with these lists:
Bots I’m blocking
Requests I’m blocking
ljmacphee
16 Jun 08 at 1:43 pm
PS – Nice website design
ljmacphee
16 Jun 08 at 1:45 pm
here i’m so thanks for visiting,
and for the plugin, it isjust great.
I have been looking around yesterday why thetrouble arrived and the global translation plugin cache folder was the problem, because before i installed the plugin the folder was closed but i had to open some of them to being able to create the folder for the cache pluginand theopen door was just ready.
yesterday i was getting banned and i had to delete the plugin to being able to login, so i guess i still have some little work to do, but anyway the most important is now the plugin is “on” all the three, i was updating the lists as you said,
and that is important, because at least the people can download the themes.
Really thanks a lot, be back today a bit later, we goout with the kids :d
(this is the only and first blog i ever subscribed!)
wangjel
17 Jun 08 at 3:49 am
not subscribed
registered
the first blog i registered, the only.
wangjel
17 Jun 08 at 3:56 am
Delete the 3 black list tables: ip, request, and user agent and the plugin.
It will re-install those 3 tables and a few defaults to give you an idea.
Then look at my current list and add to it.
If you look at your log tables before you delete them, you will see your ip number in the log files – see why it banned you and remove that item from its appropriate table.
ljmacphee
17 Jun 08 at 7:53 am
I found I was getting over 200 attempts at badness across my 8 blogs. I banned the worst 2 dozen or so ip numbers in .htaccess.
Now it is way down to a few attacks per blog per day.
I’ve also found that when you ban a bad user agent or request, something else often comes from that ip number in just a few seconds. Which is why the ip ban happens so fast.
ljmacphee
17 Jun 08 at 7:58 am
here again kids sleep……
so what i find out is i’m using an ajax comment plugin, since i turn it off everything is ok i don’t get banned.(question: if it is banned me it is ban everybody who try to leave a comment?)
by the way it is visible the difference, the logs
“looks” much better, since i have been delete all the site all the database, all the files.
I didn’t had too much blogpost anyway. So i can start to design again :d
wangjel
17 Jun 08 at 6:06 pm
i don’t know may be this will sound stupid, i would be happy to offer some design to you to “say” thank you?
wangjel
17 Jun 08 at 6:37 pm
I don’t know, the other plugin should have had no influence on mine. Which one is it?
Anyone who was banned will be listed as a log entry. So you can see if it effected anyone else and just yank those ip numbers from the ip blacklist if so.
Thank you that is sweet, I may take you up on that in the future.
ljmacphee
17 Jun 08 at 7:58 pm
it was the wp-Ajax Edit comments
wangjel
18 Jun 08 at 4:01 am
let ma see than if you say it can not be than look around, when i got banned it was in connection with the admin-ajax.php?
i got banned when i wrote a post and content of the text no problem, and when i wrote the tag, then whatever i wrote banned me
wangjel
18 Jun 08 at 4:05 am
yes i tried it now i typed in a new post, aperio and i got banned
wangjel
18 Jun 08 at 4:08 am
i restarted the adsl, and the comp. delete the IP adresses, and i tried to leave a comment, for example to use the same word, “aperio” no problems, but i guess if i try to add a tag (any tag) then ban it is becaue of this?
/wp-admin/admin-ajax.php?action=ajax-tag-search&q=ape
wangjel
18 Jun 08 at 4:25 am
No, the program doesn’t look at your tags. It only looks at your user-agent, ip number and the request you make to the server.
Let me check out the plugin later today and see if I can see what is going on.
I’m using comments here and it’s running, I have tags on a few entries and it hasn’t been a problem.
I don’t use ajax or javascript plugins on any websites, I find them to be too unstable, but I can test it on my home set up and see if I can find out what is going on.
ljmacphee
18 Jun 08 at 1:00 pm
yes than i will come back to see what you find out.
can i ask you what do you mean ajax and javascript unstable
wangjel
18 Jun 08 at 2:11 pm
Ajax and Javascript work different on many browsers. So If you don’t write proper code for each browser and id each browser you can get into trouble.
That ajax file is part of Wordpress though.
It just banned me for tags too – investigating.
ljmacphee
18 Jun 08 at 3:22 pm
OK, I see -
In the request list remove the line that says
admin-ajax.php?
And all will be well.
I just hadn’t used any tags since I added that to the list. Sorry.
ljmacphee
18 Jun 08 at 3:24 pm
when i post i remove it andwheni’m finished i put it back, iguess youhad areason why you was putting it there, and i cheked if the visitors can leave a comment if the ajax-comment-plugin is on, and if the admin-ajax.php is in the list……they can, so i prefer to live it in the list, a little extra security is good for the health
i use lightbox javascript, and this ajax comment plugin, and about browsers, IE is theonly browser try to make history, the rest is a
wangjel
19 Jun 08 at 2:22 am
………lmost always work well for me.
with little differencies, but they work.
by the way i use woopra, and i see not too many people use IE, i guess it is just an illusion, because it is installed on the PCs by default and everybody lazy to uninstall, but analytics of real visitors say on mys sites only 3% of users come with IE.
wangjel
19 Jun 08 at 2:31 am
I put it there because I saw users other than me trying to access it. But I took out that line. You have to keep something usable when you make it secure. If it’s not usable then that’s not good. No security is fool proof. Find a balance that works for you – that’s why the tool is adaptable.
I find IE visitors range from 20% on my technical sites to 90% on my gardening and houseplant sites. Depends on the crowd, but 3% is awful low.
That Woopra looks like a great tool, I hadn’t seen it before.
ljmacphee
19 Jun 08 at 7:45 am
for the moment i let that “ajax” in there untill i understand more about the plugin and those guys, does not limit the users, so i prefer to learn peacfully
yes woopra is great and about the analytics, iguess you are right because there are millions of users who do not know, or want to know about sophisticated problems, sotheyuse what is insta
wangjel
19 Jun 08 at 12:38 pm
lled on the computer,
i would be very happy to see a program created to easy use but for servers, i guess that would be a very happy tool to see who is coming around.
wangjel
19 Jun 08 at 12:44 pm
I have the Woopra bookmarked, as soon as I get a couple of free minutes I’m going to try it.
No, most people don’t want to know more, and that’s ok. Me, however I want all the information I can stuff in my head. Should’ve been a robot I guess?
ljmacphee
19 Jun 08 at 4:18 pm
Thanks for the tools. These look great. I’ve been using a combination of FireStats, Ban, Karma and Bad Behavior. Oh and don’t forget the original .htaccess mods, but found that to be too time consuming and seemingly not really effective. Your tool looks like it will let me lean out the plugin herd a bit. Thanks again.
tygern8r
19 Jun 08 at 6:54 pm
You’re welcome.
It became too time consuming for me also, and I wanted some tools that were more flexible.
I hope you find them useful also.
ljmacphee
19 Jun 08 at 8:42 pm
It is a responsible position to create broswers to people who don’t want to know? to imagine happy ways………i mean the new beta of AT&T the “Pogo” on Pogobrowser dot com is one of that happy way.
wangjel
20 Jun 08 at 10:41 am
I check all the browsers I don’t know.
If they do anything they should not, or if they are listed as a problem on other websites or if they try to hide who they are I block them.
I think it is is irresponsible.
Most browsers that are legit have a website and or email contact.
ljmacphee
20 Jun 08 at 12:43 pm
if you mean the “pogo” it is still in beta, and you can find it on pogobrowser.com
i guess they will invite you to test it you do important work so….
and there are some aplications (i would not call them browser) like “piclens”, and Spacetime, this two is maybe the most used,
and piclens have to be installed in the sites to “enable” and i don’t know about that if that is not a possible “backdoor” (i hope it is the good expression)
have a great saturday!
Wangjel
wangjel
21 Jun 08 at 2:09 am
Usually it is easy to tell the browsers for humans from the bots. The browsers download style sheets, the bots do not.
There is quite a bit of controversy over toolbar addins, esp AVG, right now. I usually leave them be.
There are some cool things coming and bubbling up from deep in the net. I wouldn’t install anything for browsers on my site if I couldn’t review the code. And even then I still might not. But to each his own.
A back door is a problem, but more likely incompetence would be the problem. Far more likely it would be an unintentional security hole rather than intentional.
ljmacphee
21 Jun 08 at 8:17 am
Just want to thank you for this. Probably my most useful plugin of all! I am amazed at all the bad guys that try to get into my little blog every day. If real users get banned they email me – e.g. re-registered instead of lost password link – and that is so rare. But the bots just keep banging away constantly.
brucesilver
10 Jul 08 at 6:00 pm
You’re welcome!
After the Coppermine install got hacked I got totally paranoid about the websites and couldn’t find what I wanted.
I’m hoping because this is adjustable by each webmaster will find it useful in a way that suits him/her as to how strict each one wants to be.
ljmacphee
10 Jul 08 at 6:37 pm
I’m not a webmaster, just a typical ignorant blogger – most of us have no webmaster to lean on! That’s why your doing it as a no-brainer plugin is so great. Thanks again.
brucesilver
10 Jul 08 at 7:25 pm
Your plugin is working great, stopping 20-30 requests per day, with over 100 banned ips in just a couple weeks. The biggest problem I have now is spam emails to me via my Contact page. They all come from Google notebook. Any way to kill these as well?
brucesilver
18 Jul 08 at 3:46 pm
That’s the first I’ve heard of that. Nice to be on the bleeding edge, eh?
I don’t know but will try to look into that over the weekend. Thanks for the tip.
I’ll post a note back here if I find out anything useful.
ljmacphee
18 Jul 08 at 6:37 pm
thank you. I probably get 30-50 a day, just gibberish with links to google/notebook pages. Can you distinguish between a bot submitting on contact page and a person doing the same?
brucesilver
19 Jul 08 at 3:06 pm
I sent you an email with information on what we can and can’t do and what I need for information to help you.
ljmacphee
19 Jul 08 at 5:03 pm
I also created a blog entry with the directions and php code to do a white list here: white list how to for ttc-security plugin
If anyone has questions be sure to comment. I’ll be happy to help.
ljmacphee
25 Jul 08 at 8:32 am
I had to remove the plugin. I had been using for weeks and was blacklisted about 5 times during that time and couldn’t get into my own blog all those times. Then my regular visitors were being blacklisted by the dozens. Not a good thing when your site is mentioned in WSJ.com and large amounts of your user base can’t get in. Once in a lifetime chance and block, block, block.
jmanpa
5 Aug 08 at 10:49 pm
So why didn’t you just remove the user-agent or request from the black list that was blocking you?
That is why it is all user adjustable.
ljmacphee
6 Aug 08 at 9:03 am
While your plugin looks very sophisticated and flexible, I have sent you request types to remove before, which you graciously did from the master list.
However, I cannot have a tool for which I am a guinea pig for what should be in the list and what is not.
A Wordpress admin has a standard list of requests that they will need to do the job. I can’t afford to help you build that list by getting blocked from my own site and sending you the request type.
I can’t have my users blocked and then send you those requests. They are not doing anything unusual – just reading content.
I think you have a good thing with this plugin. Your request and agent lists need to be tested out before releasing broadly. A beta period might be warranted.
jmanpa
10 Aug 08 at 9:45 pm
What you should be doing is blocking bots and requests that are a problem on your blog.
This is a list of bots and requests that are trouble on my blogs. These are all tested on my blogs for a week before I post them. I can not possibly check every possible plugin/set up on every version of Wordpress. That’s why I made it so insanely easy for the user to adjust the lists.
If something does not work for you remove it.
If you don’t like the plugin – don’t use it.
I wrote this for myself. I then altered it so it would be easy for others to use because I think non-technical users like yourself should be able to protect your websites.
So I suggest you write your own damn security plugin and quit whining if you don’t like mine.
ljmacphee
10 Aug 08 at 10:00 pm
First, thanks for the plugin. It’s let me block a bunch of bad guys.
I don’t understand something though. Could you explain why your bad agents list contains agents like:
Mozilla/4.0(compatible
Mozilla/4.08
Mozilla/4.61 (Macintosh
Mozilla/5/0(compatible
Mozilla/7.0
Mozilla/8
I don’t see why these are inherently bad. Are there no legitimate visitors using those agents? Maybe I just don’t grasp the whole “agent” thing.
turtletrax
14 Sep 08 at 10:39 am
Sorry, we just got hit by a hurricane and net and power are scarce.
There are typos in all those strings. The real user agents they are pretending to be are fine. Those are fakes. Like if you met someone at a party and they gave you a fake name.
See no space between 4.0 and ( on 1st on?
5/0 instead of 5.0?
All of those contain typos.
ljmacphee
14 Sep 08 at 10:54 pm
Ah, I get it, thanks.
Hope you’ve pulled through the rough weather without any bad effects.
turtletrax
15 Sep 08 at 7:57 am
Thanks for the nice plugin.
I’ve added the whitelist code and was wondering if I could use IP ranges or wildcards, instead of a long list of IP addresses?
For example, I want to whitelist Yahoo and they use the following IPs:
69.147.90.101
69.147.90.41
69.147.90.42
69.147.90.43
69.147.90.59
69.147.90.60
69.147.90.61
69.147.90.62
So, can I just use
69.147.90.*
or
69.147.90.
instead?
And will this also work for blacklisting?
kokopelli
27 Oct 08 at 8:07 pm
It is not written that way, but you should be able to trivially hack it to do so.
On the white list I do an exact compare. You change the white list to be strpos like I use in the agent black list section. strpos will find substrings.
On the ip black list I use strpcasecmp, you can change that also to strpos.
Then you can use ip numbers like 67.2. but leave off wild cards.
So rewrite the banned agent code and use it to check for blacklisted and use strpos to check your white list.
The flaw is this.
Suppose you wish to ban 69.147.*
You check for 69.147.
But 127.69.147.3 will also give a positive.
PHP String functions
You can try substr_compare(0), I haven’t tried that. Or you can try stripos() or stristr() and check that it is the beginning of string rather than middle that match is found.
So if you want to play with the code a bit, and I strongly encourage that, yes, it shouldn’t be difficult.
The other concern is each string function is computationally intensive, some more than others. Because this plugin runs on every page load, the time it takes to do anything is very critical.
Are you comfortable hacking PHP code?
ljmacphee
28 Oct 08 at 8:05 am
Rather not going to mess with the code (further) … I’ll just add all the whitelisted IPs manually for now.
A backend IP whitelist function (as well as he ability to ban/whitelist IP ranges, wildcards or even netblocks) would be nice though [hint]
kokopelli
28 Oct 08 at 9:17 am
I’ll think about it, 3 db calls are already insanely expensive, rather not make a 3rd one.
Next time I get a chance will have a look, but it won’t be this week.
ljmacphee
28 Oct 08 at 10:24 am
Hi Linda,
I am a huge fan of your scripts, thank you for making them public.
I do however, have an issue, apparently technorati is blocked and consequently lists my site OOglebreak.com as “I am sorry but you look like a bot” :/
I have removed the IP listed in the blacklist, where can I find the whitelist?
I would really like the ability to add ips to a whitelist in the backend, but just being able to add it to the code itself is fine to me too.
Thank you,
Tony
IP: 208.66.64.4 February 12 2009 14:56:04
Request: /
Code: On our ip blacklist
Accept:
Agent: Technoratibot/0.7
Shackbase
13 Feb 09 at 5:58 am
I didn’t want to make another database call. There are directions here
http://herselfswebtools.com/2008/07/how-to-add-a-white-list-to-the-ttc-security-plugin.html
Let me know if you have any questions, but I think it is very straightforward.
ljmacphee
13 Feb 09 at 7:43 am
Hi Linda,
thanx for this nice plugin, however i was getting error in syslog:
Apr 29 10:27:46 buzzdev apache2: WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 for query SELECT ip, problem, accept, agent, request, date_format( day, '%M %d %Y %H:%i:%s') AS time_stamp FROM wp_1_ttc_security_log ORDER BY day DESC LIMIT made by require_once, do_action, call_user_func_array, ttc_add_user_security_menuWhere there was no value coming for the LIMIT from the form, when you don’t say the # of log entries to show.
I “fixed” it for myself by:
$log_count = 25;// if ( $_POST['submit_check'] == 1 ){
// $log_count = $_POST['log_lines'];
// }
if ( $_POST['log_lines'] != '' ){
$log_count = (int)$_POST['log_lines'];
}
I couldn’t figure out, how that “submit_check” field is supposed to be used
thanx
buzz_lightyear
29 Apr 09 at 2:44 am
Thx, I’m out now, will check on it as soon as I get back to my office.
ljmacphee
29 Apr 09 at 7:10 am
submit_check is used to tell php that the form has been changed/updated etc ( see the form where we ask user how many form entries are desired lines 378-385)
That is in there to prevent the form from submitting null values.
Setting the count to a constant as you’ve done will work just fine also.
ljmacphee
29 Apr 09 at 10:31 am
I just wanted to say thank you! We received an injection attack today despite multiple “lighter” security measures and I remembered your script from a site I launched a year ago. Your scripts are highly customizable and transparent to the admin. The subject site includes banking info and security is paramount. So, thank you for sharing this with everyone in the Wordpress community. If real karma exists in the universe, you’ve earned yours!
joshua
7 Jan 10 at 6:06 pm
Thank you!
timestocome
8 Jan 10 at 11:36 am