gcaleval
Forum Replies Created
-
Forum: Everything else WordPress
In reply to: Is CGI required for WordPress@mosso, presumably @webbrewers last response is a backhanded way of telling you CGI is not required to run WordPress.
I’d caution you though that you may find other things that are not directly connected to WP that DO need CGI and troubleshooting after months or a couple of years could be prove difficult.
I honestly don’t know if there are currently any plugins or other WP-related functionalities that depend on CGI. Try disabling it and see what happens.
But be sure to remember that you have it disabled if something comes up in future.
Forum: Plugins
In reply to: [Prevent XMLRPC] WordPress vulnerability?@pubwvj If you don’t need it at all, then yes, you are good to go without it. I have it disabled on a number of sites.
Forum: Plugins
In reply to: [Prevent XMLRPC] WordPress vulnerability?@pubwvj The following htaccess rule will prevent any access to the xmlrpc file from any IP other than your own (obviously you need to swap in your own proper IP address). But if you are using a mobile app to admin your site, you’d have the problem of knowing all the possible IP addresses that may be signed to your phone or device over time. In theory that’s possible, but I don’t know enough about how cell providers assign IPs.
So if you are actually using a mobile app to administer your web site, htaccess rules are not a viable solution. If you are using Windows Live Writer from your home system, then this will work fine until your IP changes at which time you have to FTP in and change the rule for the new IP.
RewriteCond %{REMOTE_ADDR} !^999.999.999.999 RewriteCond %{REQUEST_URI} /xmlrpc\.php RewriteRule .* - [F]A better solution to the problem you faced may well be ZBBLock. It does a very good job of catching bad IPs and blocking them from ever getting into WordPress, but manual installation is necessary as no one has created a plugin for it yet.
Forum: Plugins
In reply to: [Prevent XMLRPC] WordPress vulnerability?@forsett it is not correct that xmlrpc is only used by Admins. It is also the vector in for a range of web services such as IFTT and others where interaction with your site is required to provide the service. If you use a service that involves server-server communications which require authentication, it is possible they are using xmlrpc.
@pubwvj if you don not use it for these purposes or for WP mobile then you are likely safe to just disable it as explained in the second post of this thread.
The simplest test is to disable it and watch what happens for a few days. If everything is working fine, you’re god to go. If not at least you should be able to see exactly what it is breaking so you can look for an alternative to that function / service.
Forum: Fixing WordPress
In reply to: Website hacked inspite of WP-securityRE: “does the choice of service provider have any say in whether your site gets hacked or not?”
It’s a controversial issue partly because so many people involved in the WordPress community are also involved in, even employed by, hosting companies, and partly because different people have had very different experiences with different hosts.
My personal experience is that it matters quite a lot.
I have received sustatined attacks on or originating from Dreamhost, GodDadday, Linode and many others — all companies that are generally promoted as being reputable.
The best solution for me was to go to a fully managed VPS with a VPS hosting company.
BUT, with a VPS more responsibility falls on you to ensure security. For example, when you set up WHM, you need to have your checklist that includes enforcing jailed shells, locking down ssh, setting AllowSymLinksIfOwned and numerous other hardening features. With good fully managed VPS host, you will get a lot of key security taken for you just by asking, including installation of mod_security with core rules, mod_evasive to degrade ddos attacks and so on.
Whether or not you are on your own VPS, it is just absolutely vital that you
- keep core, plugins and themes up to date, use WP Updates Notifier
- monitor file changes on the system, use WordPress File Monitor Plus
- control your uploads directory with htaccess to prevent access to non-image files (or other formats you allow)
- use a root htaccess to secure your entire file space
But honestly, the very most important and best strategy is:
1. Expect to be hacked
2. Have a disciplined back up routine that backups up your site and database daily and stores them offline
3. Keep good logs so you can identify when the hack took place.With just those three things, you can revert your entire site back to a day or three before the attack — and still go through the traditional steps in the links routinely offered by esmi, Jan and others. Do not rely on your host’s promised backup features. Very few of them are accurate. With Hostv, you can configure your own backups which will be stored outside the web space, but could still be compromised if some gains root access privileges. Use that feature, but also do your own backups to your own local desktop or an offsite repository like Drop Box or Google+.
This way you may loose a few days of work that you have to rebuild or abandon, but the bulk of your site will be fine. (Note: if you have basic unix skills, it is very easy to use rsync to backup from your site to your linux box, even if linux is running on a virtual machine on your Windows computer).
Note: I have no connection to Hostv other than as a customer and speak only for my own experience.
If you really want to get fully managed/full administered hosting, you can opt for one of the services that does everything, but typically your design and functionality choices are extremely limited.
Forum: Fixing WordPress
In reply to: Website hacked inspite of WP-securityRE: “Why is my site becoming the target of so many attacks?”
Don’t feel like you’re being targeted. Many, if not most, web sites get “attacked” multiple times per day.
These are automated robots spidering the web, using whois databases and other techniques to throw out probes against anything accessible. However, you are right, that being hacked once often does result in many follow-on attempts as there is some sort of vulnerable site record keeping in dark recesses of the web.
You will never “stop the attacks,” but instead must harden your site against them, and not be panicked by the fact that they occur.
Esmi provided you some good links to that end.
But, when one’s allowed themselves to be hacked via outdated WordPress or plugin/theme installs, I actually recommend a more severe approach whenever it is possible – start from scratch.
If you do not have hundreds of pages of content, you are better off wiping everything from your host account and rebuild with all new code and a new database. Of course if you have a lot of content on a site, rebuilding is often not a viable option.
I take this approach because I have seen situations where ops have experienced one kind of hack, gone through the cleanup steps to the best of their ability, only to later discover that some piece of hack code was left behind in the database that actually predated the experienced hack. It was hiding waiting for activation and not found during cleanup. And was much more serious than a redirect or simple defacement.
Whether you rebuild or are confident you have a clean system and stick with it, make sure you really have changed all your passwords to very strong, and that you do not use the same password for your WP admin, FTP and cPanel/hosting accounts.
I also recommend you look at deploying ZBBlock, a completely free solution that provides site wide protection of all WP, plugin and theme php files. I use it on several sites and it is remarkable to see how well it deflects the many different forms of attack.
Forum: Hacks
In reply to: Why wordpress is so easy for hacking?+1 MickeyRoush
If the hosting environment is such that user accounts are “being cleared every day” the problem, aside from not being about WordPress, may be about the hosting environment itself.
@technopolic you may find this thread informative:
http://wordpress.org/support/topic/hacked-by-hacker-1?replies=47
Forum: Fixing WordPress
In reply to: how to block Unknown robot (identified by 'bot*')@draigus check the access logs on the server and see if there is anything more than “bot” in the User-Agent string.
Here is a blocking example that uses the U-A to send unwanted bots straight home.
RewriteCond %{HTTP_USER_AGENT} ^.*(Ahrefs|Baidu|BlogScope|Butterfly|DCPbot|discoverybot|domain|Ezooms|ImageSearcherFree).*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*(ips-agent|linkdex|MJ12|Netcraft|NextGenSearchBot|SISTRIX|Sogou|soso|TweetmemeBot|Unwind|Yandex).*$ [NC] RewriteRule ^/?.*$ "http\:\/\/127\.0\.0\.1" [R,L]You could just Rewrite -F them but I’ve found that telling them to go search themselves causes them to stop coming after a while, but giving them a 403 does not.
Note, however, that if you block “bot” you will end up blocking GoogleBot and BingBot, which you may want indexing your site. So if you cannot get a good string out of the user agent, you’ll need to use other tools.
I’m an enthusiast of ZBBlock as it provides defense against much more than unwanted bots, is free, is actively supported by its developer and his community and can provide cover for any php on your server, not just WordPress. If you follow the step-by-step instructions, it is painless to install. One tip is that the standard advice is to load the hook (copy-paste a string, nothing complicated) in wp-load.php. Instead do it in wp-config and you won’t have to worry about re-edits after WP updates.
Forum: Requests and Feedback
In reply to: WordPress – Not Secure At All Now a DaysTopic title is flatly wrong.
If someone’s WordPress site is down every month because of hacking, it is either (a) a matter of the craftsman and not the tools or (b) there is something about the site content that is particularly inviting to hackers.
Regarding (a)
Of the web site tools available, WordPress is easily the best for security, particularly for the non-technical web admin. Alternatives such as Joomla may have their place, but they do get hacked and often the consequences are sweeping.
If you are a person who wants to do absolutely nothing with your site, nothing such as keeping it updated or subscribing to relevant news feeds for the occasional notice, then you should not operate a web site. Use something like Google Sites or WordPress.com. They give you free blogs and maintain all the code for you, for heaven’s sake. For free.
There are lots of WordPress security hardening tools that require very minimal effort to use and LOTS of free help in using them. I recommend ZBBlock for its extensive security capabilities, but there are easier ones like the recently much discussed Bullet Proof.
So @amarbir, when you change to an alternate platform, please come back and report on the decrease in attacks. I predict there will be none. I own quite a few domains myself with more than a dozen set up purely as traps. They host no WordPress or other actual web site code. Just an index.php page and ZBBlock. They get hit with the same number of attacks as the domains running WordPress. This is not an abstract speculation, it is my real world experience. Certainly lots of the attacks are against wp-login.php, but many target Joomla, lots against phpmyadmin and a dizzy array of form submission attack types.
WordPress is the most widely used so it is to be expected that hackers will include it most heavily in their hacking campaigns. So it’s just factually wrong to talk about
alternative blogging scripts that are not that hacker friendly and are more secure
There are none that accurately fit those criteria.
The 3.5 upgrade did throw one significant curve ball, which was the introduction of square brackets [] into http strings. Which the team identified in the update checklist: http://wordpress.org/support/topic/troubleshooting-wordpress-35-master-list, although one might skip over by accident as it titles that segment as “PerishablePress “5G” blacklist.” Some of my own custom htaccess rules broke as well so some other internals may have changed too. But it was enough to know to trial those rules and I was fully operational in perhaps half an hour.
Regarding (b)
Sites that actively host web mail are highly prized by hackers and therefore highly targeted. Sites that run file sharing are highly prized by hackers and therefore highly targeted. URLs that are posted to Facebook or Twitter result in an immediate flood of automated bot attacks.
Even certain keywords trigger sustained hacking attacks. For example on a site I host there is a mildly amusing article detailing the historical view of garlic as an aphrodisiac. About two months after that article went live, Russian- and Chinese-origin bots starting flocking to the url. It’s been up for a year and they still come even though they are invariably redirected to their localhost. My speculation is that the bots use the results of search engine queries and one of their included triggers is “aphrodisiac.”
Conclusion
There could be a number of reasons why WordPress may not be the right platform for a given person, but security is not one of them.
Forum: Themes and Templates
In reply to: [Suffusion] Where is Suffusion trying to write to?I’m not clear on one thing.
If one follows your method Sayontan, does it require the main Suffusion theme to be network-enabled? In @markpea’s case this may not matter given his site is going to live in a fiercely protected environment and he may only be offering a single thematic choice.
But in other cases, for example using child themes to build 10 variants of Suffusion, having only those 10 network enabled seems to make sense. I chatted with an op who created a separate child for each of four faculties in a school which is why it connected for me here.
As your own tutorials taught me, keeping with traditional practice is as simple as addinga line to import the appropriate skin css file, no?
My skinning selection is not over-ridden and my child has the @include lines.
I’m also unclear about the apparent resolution of
on another hunch, returning to Back end -> Site Optimization I reset the Auto generate CSS file to the default setting (include as a linked file), and lo and behold it does not give the same behaviour as before (ie no prompt to FTP) and the settings seem to be saved.
The only time I’ve come across that is when there are permission issues with where Suffusion is trying to save the linking file. My system is set to stop any attempt to create a new directory in the Uploads directory and any file outside the date tree. Which naturally blocked the saving the of the suffusion css file. Hence I use auto-generate in html.
But if I understand your answer, it wasn’t saving the file because it was being overwritten by the child’s include statement?
If it is not due to overwriting — and I’m skeptical because I have a similar setup and do not have that issue — then it’s due to something else that could come back to haunt if it is not identified on the front end. The prompting for FTP credentials also suggests the failure was caused by something beyond having an include statement in the child theme’s sheet.
Regardless, this topic has given me something new to experiment with <smile>.
Forum: Plugins
In reply to: [Prevent XMLRPC] WordPress vulnerability?How do you protect against this vulnerability?
The link I shared from esmi explains how to disable xlmrpc, which is complete protection against the kinds of probes being descrived.
What ticks me is that this is all being presented as a “new” threat. The DoS attack was completely viable against any site allowing pingbacks before 3.5. So was trackback spam. XML-RPC also always supported user credentials — that’s how remote blogging tools like LiveWriter and ScribeFire work — they use XML-RPC to authenticate you into the site.
The only one I’m not sure about is the internal network mapping.
What’s really new is just the fact that it is turned on by default now and you have to take an extra manual step to disable it.
But as someone who watches security threads and has vulnerability alert notices coming from many sources, I get a little angry that some “security” sites take any opportunity to trump up something into a “threat” when it really is at most an annoyance.
I’m convinced that there are many self-proclaimed security experts out there who are more interested in “scaring” up traffic to their sites or selling their services than they are in monitoring, reporting and defending against actual threats.
Forum: Themes and Templates
In reply to: [Suffusion] Where is Suffusion trying to write to?@markpea the other thing you should probably do is to use a child theme, network enable that child theme, and network DISABLE the main Suffusion theme.
A basic child theme consists of:
/* Theme Name: Suffusion Child Theme URI: http://aquoid.com/news/themes/suffusion/ Description: Suffusion Child Version: 1.0.0 Author: Sayontan Sinha Author URI: http://mynethome.net/blog Template: suffusion */ @import url("../suffusion/style.css");and place it in a subdirectory under Themes like any other. This will prevent users from intentionally or inadvertently doing anything to the Suffusion base, but still give them access to its full potential.
Forum: Plugins
In reply to: [Prevent XMLRPC] WordPress vulnerability?Here’s a link from esmi explaining how to disable xml-rpc:
http://wpengineer.com/2484/xml-rpc-enabled-by-default-in-wordpress-3-5/
I don’t know if it’s really accurate to call the situation a “vulnerability” since the code is doing exactly what it is designed to do. Trackback spam has always been a concern and there have been countermeasures available.
What I notice is that about a day after the new WordPress core release came out turning xml-rpc on by default the web started getting dotted with all these claims about a “new” vulnerability.
My philosophy is that if you do not need a functionality, then, to the extent possible, you should not have code for that functionality on your site. As more and more gets bolted on to the core, it becomes increasingly difficult or impossible to “only keep what you use.”
Heck, I think lots of what’s in core should be outsourced to addons — like the whole Media Library should be a plugin. But woe betide the community if that were the approach; much tearing of hair and gnashing of teeth would ensue! <chuckle>.
Forum: Fixing WordPress
In reply to: Disable XML-RPC?Thank you esmi. That was a very helpful link!
Forum: Plugins
In reply to: Plug In to make a page to look like Popcritics!Well I’m pretty that koolwaters is using the NexGen Gallery plugin to display that page. Whether or not not NexGen does what you’re describing, don’t know.
The way I’m understanding your description now does not sound like an easy piece of coding. Essentially you want to create a post, add an image while creating that post and have the image from that post populated to a completely different post, page or gallery, with a backlink to the original post?
Maybe some gallery plugins allow for automatically adding all images from a specified category — that would be one way to get there.
Another would be to use Gravity forms, but that would involve some upfront overhead in coding the form that would replace your post edit screen.
Sorry I couldn’t be of any help. Your question is a good one and if you find an answer please be sure to share it here so the rest of us may benefit from your search.