Forums

WordPress › Support » How-To and Troubleshooting

HTACCESS file editing (re: recent WP cracking) (10 posts)

  1. Nitallica
    Member
    Posted 2 years ago #

    After reading the 2.1.2 announcement, I promptly modified the .htaccess file for each of my WP installations to include the following:

    RewriteCond %{QUERY_STRING} ^(.*)ix= [OR]
RewriteCond %{QUERY_STRING} ^(.*)iz=
RewriteRule ^.*$ http://127.0.0.1/ [R,L]

RedirectMatch (.*)theme.php$ http://127.0.0.1/$1
RedirectMatch (.*)feed.php$ http://127.0.0.1/$1

    I wanted to pop on here to make sure that would cover it ... and make sure I hadn't overlooked anything. (as I hadn't seen any suggestions posted regarding this)

    Thanks!

    Nicki

  2. deko
    Member
    Posted 2 years ago #

    Even better wd be to redirect to a page on the WP.org site that would log the IP/domain/geo location of the visitor so we cd display to the world who is trying this stuff. I have a script that wd do this if ur interested.

    These questions remain:

    • What, exactly, are the vulnerabilities in the hacked 2.1.1 files and how are they exploited?
    • What should I check for to know if my blog has been compromised or not?
    • Do I need to change my blog's passwords?

  3. technosailor
    Member
    Posted 2 years ago #

    The details of the exploit were published by Ivan Fratric (the security guy who reported the situation) here.

    http://ifsec.blogspot.com/2007/03/wordpress-code-compromised-to-enable.html

    This is indeed quite dangerous.

  4. deko
    Member
    Posted 2 years ago #

    Thanks for that important link.

  5. Nitallica
    Member
    Posted 2 years ago #

    Very nice, thank you! :)

  6. cduke250
    Member
    Posted 2 years ago #

    Better yet

    RewriteCond %{QUERY_STRING} (ix|iz)
RewriteRule .* - [F]

  7. Nitallica
    Member
    Posted 2 years ago #

    Ooh, even better! I knew someone may have a more elegant way of doing this. Thanks, cduke250! :)

  8. Otto42
    Moderator
    Posted 2 years ago #

    You can also just check your blog's running code for the actual problem. I checked, and I appearantly did not download the bad code at any point.

    Or just upgrade to 2.1.2 if you had 2.1.1. No need to do this sort of block in .htaccess. Blocks like this should be sitewide if they are to be done.

  9. Nitallica
    Member
    Posted 2 years ago #

    I knew that I was not at risk, but would rather block the attempts so as to deter them. :)

  10. cduke250
    Member
    Posted 2 years ago #

    Or just add this.. 

    <FilesMatch "(theme|feed)\.php$">
order allow,deny
deny from all
</FilesMatch>

    but Otto42 has the best advice.

    Using FilesMatch

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags