Tag: security

Tips for Securing WordPress

2022-03-29 / spierzchala / 0 Comments

I spent much of the morning tracking these items down, so I thought I would share them here

Let’s start with blocking access to the any idjit that wants to try and edit the .htaccess file

<Files .htaccess>
   Order Deny, Allow

## Really? You didn't think I would do this?
   Deny from all
</Files>

Next, let’s shut down the xmlrpc.php file. Mostly unused these days, but can serve as an entry point for more idjits.

[NOTE: If you use JetPack, you may have to open this up to the Auttomatic IPs that make the automated backup requests.]

<Files xmlrpc.php>
   Order Deny,Allow

## No soup for you!
   Deny from all
</Files>

Finally, let’s IP block the access to the wp-admin area. One addition to this is my public IP address. The reason I added this here is that if you access your WP instance by its hostname rather than its IP, your requests will actually go in and out of your router. They will appear with the public IP address even if they originate from within the private IP range.

<IfModule mod_rewrite.c>
   RewriteEngine on
   RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
   RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

## Your local private IP range
   RewriteCond %{REMOTE_ADDR} !^192\.168\.1.

## Your external IP
   RewriteCond %{REMOTE_ADDR} !^[IP ADDRESS REGEX HERE]$

## What to do with the rest of the bozos
   RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

And with these, most of the annoying log entries probing your WP install should leave your site frustrated.

Weird times mean New Rules – UFW

2022-03-29 / spierzchala / 0 Comments

I added many new UFW rules and other security measures to my Ubuntu server as a result of all the weird things happening in Europe right now. There was a time when I would have done this immediately after building the server, but I have been getting lax in my old age

I also added a number of DENY rules to stop HTTP site scanning. I haven’t had to block a /8 yet, but there are a few /16 and /15 networks in my deny list. This with some well-placed .htaccess rules made many annoying bots go away.

In my research, I have found that there is a desire to completely block entire countries (you know who you are). Doing so with CIDR-based firewall rules is intensive – the UFW ruleset for one of the countries had 24,000+ CIDR blocks!

If you are running home servers, I highly recommend blocking SSH from as much of the internet as possible. As well, keep up-to-date with security patches and block all the stupid ways people can use your servers.

And make sure your cable router/device in front of your network is blocking everything except the most important stuff.

Stupid attacking domain — andrewsaluk.com

2005-02-12 / spierzchala / 6 Comments

Looks like some bozo has managed to take over a large number of machines and launch some sort of zombie attack against blogs. If you see andrewsaluk.com filling up your referrer log, block the hosts. They are likely zombies.

Just checked the domain (IP address 211.180.238.254) — it originates in South Korea. Definitely points to either a script-kiddie or a zombie on a high-speed connection.