wp_kc
Forum Replies Created
-
Forum: Plugins
In reply to: [Facebook Album Sync] Images no longer showing in WP3.6 (and how to fix it)k. fine. whatever…
here is the new facebook-album-sync/js/lightbox.js code…
Here is the new facebook-album-sync/css/lightbox.css code…
Once they’ve gotten a foothold to your web site, they usually install other files to keep a hold of your server. So it is common to see files completely outside of the WP installation after a site has been infected.
Regarding file permissions, read-only might not work since the PHP files need to be able to execute, and the upload directory needs to be writable by the web server for your media library to work.
but there are a lot of other things you can do to fix things up. Check out this article.
It is very simple to do, and it has nothing to do with the Better WP Security plugin.
If you have an account with administrator privileges you can create a new user, with any name you want, and set the new account as an administrator.
Then if you also want to get rid of the old administrator account, that is simple too. Login with the new administrator account you created and delete the old administrator account. It will ask you what you want to do with the posts that belong to the old account. You can select to assign them to the new administrator account.
Very simple. No database knowledge needed.
Technical background:
The only thing the rename administrator account feature of BWPS does is change the name and the database id number of the administrator account. That is all. You can do the same thing yourself using the technique above. The BWPS plugin just makes it faster to do.Did you try entering your home URL in the FB OG debugger tool?
https://developers.facebook.com/tools/debug
That should give you a better idea of what is going on. Also, it’s a handy way of clearing FB’s cache of your og:image when you update it.
Always remember… if you have FTP access to your web site you can temporarily rename the folder of any plugin to disable it. I usually rename the folder to have a dot as the first character of the file name. This trick effectively hides the folder from WordPress.
In the case of the Better WP Security plugin you can rename the folder from
better-wp-securityto.better-wp-securityYou will then be able to log-in to the WordPress admin area the usual way.
Then, after you have logged in to WordPress, keep your web browser opened on the WP admin area and rename the plug-in folder back to it’s original name using your FTP program.
Next, go to the plugins menu in WordPress, if WordPress did not already re-enable Better WP Security, you can do it now. Since you are already logged in, you don’t have to worry about the plug-in booting you out because of the “Hide Backend” settings.
Now you will be able to generate a new secret key.
I highly recommend adding a .htaccess file to your wp-content folder with the following in it…
Order Deny,Allow Deny from all <FilesMatch "\.(jpe?g|gif|png|wmv|wma|mp3|ogg|m4a|bmp|flv|swf|js|css|pdf|woff|ttf|xml|xls|html|gz|csv|eot|zip|tar)$"> Allow from all </FilesMatch>No executable files in the wp-content folder should be directly accessible, but WordPress currently does nothing to stop direct access to executables anywhere in the wp-content folder. Hackers use this lack of control to exploit bugs in various plug-ins or upload executable files to your site which then allows them to take complete control over your web site and maybe even more. Adding the .htaccess file above will put a stop to the vast majority of these exploits.
However, some thoughtlessly designed plug-ins may require direct access to .php in the plug-ins directory. In every case I have seen, it is absolutely possible to re-design these plug-ins so they don’t need direct access to anything under the wp-content folder. But getting the plug-in designer to re-design their plug-in may be difficult.
In these cases, you have a choice. Either don’t use a plug-in that was poorly designed, or add specific exceptions for the plugin. Adding an exception is dangerous if the plugin can be exploited by hackers. However, I will tell you how to do it in case you are desperate to use a poorly designed plugin. 😉
To add exceptions, first find out what file is trying to be accessed (after having added the .htaccess file shown above to your wp-content folder). You can use the FireBug plugin for Firefox (or similar) and look for 403 errors when accessing your web site. Then add directives to the .htaccess file to allow that file to be directly accessed.
For example, the WordPress SEO plugin by Joost requires direct access to xml-sitemap-xsl.php to produce a sitemap for search engines. Adding an exception for this file would make the entire .htaccess in the wp-content folder look like this…
Order Deny,Allow Deny from all <FilesMatch "\.(jpe?g|gif|png|wmv|wma|mp3|ogg|m4a|bmp|flv|swf|js|css|pdf|woff|ttf|xml|xls|html|gz|csv|eot|zip|tar)$"> Allow from all </FilesMatch> <FilesMatch "xml-sitemap-xsl\.php$"> Allow from all </FilesMatch>The file name should always have a $ added to the end of it (this tells the web server that the file match should only match file names that end with this text). If there are any . in the file name, add a \ in front of them (the period character is a search function, changing it to \. tells the web server to consider it as a literal . instead of as a search term).
Good luck!
Update: This issue has been fixed in Version 3.5.3
One other note… I have noticed that some hackers are using proxy servers which hide their real address. If you want to try to ban anyone that uses an anonymizing proxy you could have the start of your stuff look like this…
# END Better WP Security SetEnvIf X-Forwarded-For unknown denyclient SetEnvIf X-Forwarded-For 0.0.0.0 denyclient SetEnvIf X-Forwarded-For 0 denyclient deny from env=denyclientAdd your specific IP addresses right before the “deny from env=denyclient” line.
Sorry I did not get back to you sooner. The BWPS section of the .htaccess file should start at or near the top of that file with this…
# BEGIN Better WP Security…and it ends with this…
# END Better WP SecurityAny line that starts with # is just a comment to help document the file. In between those two comments is the section that denies access to IP addresses. It start with something like this…
# Abuse bot blocking rule end # End HackRepair.com Blacklist Order allow,deny Allow from all(note: If you do not have the HackRepair.com blacklist option enabled, those first two lines wont’ be there, just the last two)
These lines are followed by all the IP address banning directives. For example…
Deny from 118.1.70.142 Deny from 118.101.93.229 Deny from 118.108.100.22When you don’t see any more “Deny from” lines, that is the end of that section and the start of something else.
I’ve rethought my original advice. It looks like it is a bad idea to add your own stuff in between the “# BEGIN Better WP Security” and “# END Better WP Security” comments. So, just add your stuff after the “# END Better WP Security” comment.
For example, let’s say you are seeing IP address 123.123.123.123 still accessing your web site even though it is in the ban list. The end of the BWPS section of the file should look like this…
# END Better WP Security SetEnvIf X-Forwarded-For 123.123.123.123 denyclient deny from env=denyclientYou can add as many of the “SetEnvIf X-Forwarded-For” lines as you want. Just replace the IP address with a different one and make sure you have the “denyclient” part after it. Make sure you always keep “deny from env=denyclient” as the last line.
Here is what this is doing: “SetEnvIf” (Set Environment variable If true) will set a temporary value if the test condition following it is true. “X-Forwarded-For” is a bit of text that is sent by proxy servers that gives the actual IP address that is making the request for a web page. The “denyclient” can be anything, it’s just the name of the temporary value being created if the test was true. The “deny from env=denyclient” tells the web server to deny access if any of the previous tests came back as true. (It is checking to see if an environment variable named “denyclient” exits. if it does, it means one of the IP tests was true, so it denies the connection.)
I hope that helps.
Since I have several web sites with OpenGraph data in use and they work fine with BWPS installed, I don’t think that is the problem. I can think of two other possibilities…
1) You have something preventing hot-linking. You need to allow hotlinking for systems like LinkedIn and Facebook to grab images from your site.
https://simple.wikipedia.org/wiki/Hotlinking2) You have the IP addresses of LinkedIn/Google/Facebook/whatever servers in your ban list. Perhaps because you have a lot of 404 errors on your site and they got banned automatically, or for some other reason.
No. It is not IP spoofing. It is just an attacker using a proxy server. Read this instead…
https://en.wikipedia.org/wiki/X-Forwarded-For
BWPS is simply not adding the correct commands to the .htaccess file to stop the attacker.
Minerlman, did you try the SetEnvIf trick I showed above?
Handoko, try reading my posts above. This is happening because the attacker is using a proxy server and BWPS is not using the correct directive in the .htaccess file to stop it. BWPS needs some redesign to fix this problem.
I think I’ve found another workaround (this works for me since I only have one attacker that is apparently using a proxy). Instead of adding…
Deny from 123.123.123.123to .htaccess (where, of course, 123.123.123.123 is the ip address of your attacker), add this instead…
SetEnvIf X-Forwarded-For 123.123.123.123 denyclient SetEnvIf X-Forwarded-For "^123\.123\.123\.*" denyclient deny from env=denyclientPut this in at the end of the list that BWPS maintains. Two examples are shown. The first one is for a specific IP address. The second one shows a search string to search for a range of IP addresses.
Also, banning an IP address forever might not be the best policy either. If someone is attacking with a dynamically allocated IP address, as soon as that address is recycled and used by someone else, they are banned even if they are a legitimate user.
It might be better to turn off the ban permanently feature and just use a really long ban period (like 24 hours). Since BWPS seems to actually work when it is managing the lockout (as opposed to a .htaccess directive) you should get a good compromise.