Category: security

Tips for Securing WordPress

I spent much of the morning tracking these items down, so I thought I would share them here

Let’s start with blocking access to the any idjit that wants to try and edit the .htaccess file

<Files .htaccess>
   Order Deny, Allow

## Really? You didn't think I would do this?
   Deny from all
</Files>

Next, let’s shut down the xmlrpc.php file. Mostly unused these days, but can serve as an entry point for more idjits.

[NOTE: If you use JetPack, you may have to open this up to the Auttomatic IPs that make the automated backup requests.]

<Files xmlrpc.php>
   Order Deny,Allow

## No soup for you!
   Deny from all
</Files>

Finally, let’s IP block the access to the wp-admin area. One addition to this is my public IP address. The reason I added this here is that if you access your WP instance by its hostname rather than its IP, your requests will actually go in and out of your router. They will appear with the public IP address even if they originate from within the private IP range.

<IfModule mod_rewrite.c>
   RewriteEngine on
   RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
   RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

## Your local private IP range
   RewriteCond %{REMOTE_ADDR} !^192\.168\.1.

## Your external IP
   RewriteCond %{REMOTE_ADDR} !^[IP ADDRESS REGEX HERE]$

## What to do with the rest of the bozos
   RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

And with these, most of the annoying log entries probing your WP install should leave your site frustrated.

Weird times mean New Rules – UFW

I added many new UFW rules and other security measures to my Ubuntu server as a result of all the weird things happening in Europe right now. There was a time when I would have done this immediately after building the server, but I have been getting lax in my old age

I also added a number of DENY rules to stop HTTP site scanning. I haven’t had to block a /8 yet, but there are a few /16 and /15 networks in my deny list. This with some well-placed .htaccess rules made many annoying bots go away.

In my research, I have found that there is a desire to completely block entire countries (you know who you are). Doing so with CIDR-based firewall rules is intensive – the UFW ruleset for one of the countries had 24,000+ CIDR blocks!

If you are running home servers, I highly recommend blocking SSH from as much of the internet as possible. As well, keep up-to-date with security patches and block all the stupid ways people can use your servers.

And make sure your cable router/device in front of your network is blocking everything except the most important stuff.

Bots from hell, and a plea for a free-to-use public “DROP” Port

There is some idiot out there running a bot/attack protocol using a referring URL that always ends with ‘.eu.tt’.

Turns out that there was more than one IP involved. IPTABLES took care of them.

/sbin/iptables -A INPUT -s 200.123.9.119 -j DROP
/sbin/iptables -A INPUT -s 195.54.87.222 -j DROP
/sbin/iptables -A INPUT -s 194.47.95.115 -j DROP
/sbin/iptables -A INPUT -s 198.234.202.130 -j DROP
/sbin/iptables -A INPUT -s 198.234.202.131 -j DROP

Please use DROP. This stalls the buggers, as they get stuck in an endless trap of trying to open a TCP connection with your server.

Does anyone know of a server that has an open DROP rule for Port 80? This would be a useful online tool for folks who can re-direct annoying traffic through server configs, but who can’t control the firewall or IPTABLES.

Simple set-up. Get a domain, register it. Get a DNS record to say that www.foobar.com is the machine’s IP Address. Then use IPTABLES to DROP all Port 80 inbound traffic. Publish the URL. Watch the fun!

What’s the fun? Well, when you publish the address and explain that anyone can use targetted re-directions to send unwanted traffic to this place of lost TCP connections, and annoying bots get stuck.

It’s a simple IPTABLES rule. For my machine, it would be:

/sbin/iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 80 -j DROP

Which, in IPTABLES speak, means “Any [-s 0/0] inbound traffic on network interface eth0 [-i eth0], headed for TCP port 80 [–dport 80], should be quietly dropped [-j DROP]“.

Please do not try this on a production server! All of your HTTP traffic will disappear! However, you could re-write it slightly, and still preserve port 80 for standard HTTP, like, statistics on the distinct IPs stuck in your flypaper.

Change ‘http://www.foobar.com/’ to ‘http://www.foobar.com:9080/’ and adjust the IPTABLES rule accordingly.

/sbin/iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 9080 -j DROP

Ok, my rant is done. Have fun, and use these tools wisely.

Stupid attacking domain — andrewsaluk.com

Looks like some bozo has managed to take over a large number of machines and launch some sort of zombie attack against blogs. If you see andrewsaluk.com filling up your referrer log, block the hosts. They are likely zombies.


Just checked the domain (IP address 211.180.238.254) — it originates in South Korea. Definitely points to either a script-kiddie or a zombie on a high-speed connection.

Copyright © 2024 Performance Zen

Theme by Anders NorenUp ↑