Browsed by
Category: Open Source

Using GeoIP.dat and Apache on cPanel / WHM to block 75,000+ attacks on wp-login.php in one day

Using GeoIP.dat and Apache on cPanel / WHM to block 75,000+ attacks on wp-login.php in one day

Client denied by server configuration - protect wp-login.php

After yet another brute-force attack on our servers hosting WordPress sites today I finally decided it was time to take some drastic action.  There are a number of different approaches you can take, this is what I did to block literally over 75,000 attacks against wp-login.php today.

Step 1: Install the GeoIP database and Apache module

Step 2: Add this to /usr/local/apache/conf/includes/post_virtualhost_global.conf

# Whitelist countries allowed to access wp-login.php or wp-comments-post.php
<FilesMatch "(wp-login|wp-comments-post)\.php$">
SetEnvIf GEOIP_COUNTRY_CODE US AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE CN AllowCountry
order deny,allow
Deny from all
Allow from env=AllowCountry
ErrorDocument 403 "Forbidden."
</FilesMatch>

(We have some clients in China who need to legitimately login to WordPress, so we included them in the whitelist). Adjust your whitelist / allowed country list appropriately.

Restart apache service httpd restart and start watching the attacks get served up “Forbidden.” messages instead of hitting WordPress and database. Server load way down, yay! Sorry rest of the world, you can’t have our wp-login.php anymore.

WordPress 3.1 is released!

WordPress 3.1 is released!

Our WordPress upgrader dashboard

We have 82 installations of WordPress on our servers and are excited for the new release of WordPress 3.1. There are a bunch of neat new features, but probably the thing that most of our clients will notice first is that there is a new admin bar that will show up for them. Should be fun managing the upgrades. 🙂

Read more about the new update here.

Fix for Twitter Tools open_basedir error

Fix for Twitter Tools open_basedir error

If you’re like me you’ve been using the excellent Twitter Tools plugin for WordPress for a while now. Recently a client noticed that there was a sporadic error being shown that was similar to this:

Warning: require_once() [function.require-once]: open_basedir restriction in effect. File(twitteroauth.php) is not within the allowed path(s): (/home/fern:/usr/lib/php:/usr/local/lib/php:/tmp) in /home/fern/public_html/wp-content/plugins/twitter-tools/twitter-tools.php on line 1516

Here is the fix that I figured out would work — add the absolute path of the file into the plugin code and it should clear this up. Obviously this isn’t an ideal long-term solution. Hopefully Alex will incorporate this simple fix into the next version of the plugin. Note that this fix applies to Twitter Tools version 2.4.

In twitter-tools/twitter-tools.php change line 1516 to:
require_once(dirname (__FILE__) . '/twitteroauth.php');

And in twitter-tools/twitteroauth.php change line 10 to:
require_once(dirname (__FILE__) . '/OAuth.php');

How to Unix tip: Find and remove files older than a certain time period

How to Unix tip: Find and remove files older than a certain time period

Unix Command line

If you find a directory such as /tmp/ filling up with old and uneeded files, here’s a quick tip for finding and removing what you don’t need anymore. Note that the delete function WILL remove everything it finds, so please understand exactly what it is you are doing here before running that command.

Command to find all files older than 5 days:
find . -mtime +5 -type f;

Command to delete all files older than 5 days (USE WITH CARE!):
find . -mtime +5 -type f -exec rm {} \;

From the man page for find:

-mtime n
     File’s data was last modified n*24 hours ago. See the comments
     for -atime to understand how rounding affects the interpretation
     of file modification times.

Hope that helps! Thanks for the pointers from this page.

How to fix 301 error when importing blog posts including images from a WordPress.com blog into a new WordPress.org blog

How to fix 301 error when importing blog posts including images from a WordPress.com blog into a new WordPress.org blog

Fourth of July night - Driving home

The current import script (as of WordPress 2.8.6) is broken when it comes to successfully importing images from WordPress.com. The error you see is something like

Remote file error: Remote file returned error response 301 Moved Permanently

Fixing this involves adding a couple of lines to a core WordPress file. Hopefully a future version of WordPress will include the working version.

Note that these instructions are for WordPress 2.8.6. Your version may be different, and you may need to play with this to get it to work for you. This worked for me, YMMV.

  1. Open wp-includes/functions.php
  2. Around line 1208 or so, you’ll find the wp_get_http function.
  3. Right below where it says $headers['response'] = $response['response']['code'];, add the following code (around line 1227):
    
    // added to fix 301 redirects for blog import code from WordPress.com
    if ((string)$response['response']['code'] == '301') {
    	$response = wp_remote_request($headers['location'], $options);
    	$headers = wp_remote_retrieve_headers($response);
    	$headers['response'] = $response['response']['code'];
    }
    
  4. Save the functions.php file and copy it back to the server.
  5. Re-run the import function (Tools > Import > WordPress). Don’t worry, it won’t make copies of the posts you’ve already imported, it will just download the images to your new blog.

To fix the references to the images so they’re being served off your new blog, you can either go through every post and manually correct them all, (not very fun), or better yet, download the Search and Replace plugin, activate it and do a search for all instances of the WordPress.com image server URL in all your posts (something like http://BLOGNAME.files.wordpress.com/ with your own new URL — http://BLOGNAME.com/wp-content/uploads/). Don’t forget to test the new URL structure before you do the search and replace, otherwise you’ll have to go back and fix it.

Hat-tip to Bill Zitomer for pointing out the link to this WordPress support forum page that had a good clue to the solution.

Is WordPress automatic install / upgrade compatible with a SVN deployment of WordPress?

Is WordPress automatic install / upgrade compatible with a SVN deployment of WordPress?

Picture of a Windows desktop featuring a mouse pointer

Question: Is the built-in WordPress automatic install / upgrade process compatible with a SVN deployment of WordPress?

Short answer: Yes.

Ever since WordPress came out with the automatic upgrade functionality in 2.7 I’ve hesitated to use it since the majority of our client installs are deployed using Subversion (svn) and I wasn’t sure how it would react with the .svn directories.

Today I finally decided to figure it out, and found that the WordPress team coded their upgrading functions exactly correctly (as far as not overwriting or deleting .svn directories goes). In addition, their script correctly removes old and unneeded files that might be present.

First, check to make sure that our svn checkout is clean:

$ svn st

Next, we begin the automatic upgrade process.

Step 1: Click the WordPress 2.8.5 “Please update now.” link:
Step 2: Backup your files as suggested – http://codex.wordpress.org/WordPress_Backups
Step 3: Enter your FTP connection details and click the Proceed button
Step 4: Wait while the files are downloaded and unzipped. This can take a minute or two, so be patient.

Now we can check to see what files were changed:

$ svn st
M wp-app.php
M xmlrpc.php
M wp-includes/post-template.php
M wp-includes/version.php
M wp-includes/theme.php
M wp-includes/comment-template.php
M wp-includes/bookmark-template.php
M wp-includes/media.php
M wp-includes/formatting.php
M wp-includes/author-template.php
! wp-includes/images/swf.png
! wp-includes/images/audio.png
! wp-includes/images/zip.png
! wp-includes/images/html.png
! wp-includes/images/doc.png
! wp-includes/images/video.png
! wp-includes/images/pdf.png
! wp-includes/images/js.png
! wp-includes/images/exe.png
! wp-includes/images/text.png
! wp-includes/images/default.png
! wp-includes/images/tar.png
! wp-includes/images/css.png
M wp-includes/rewrite.php
M wp-includes/general-template.php
M wp-includes/capabilities.php
M wp-includes/classes.php
M wp-includes/category-template.php
? wp-content/plugins/hello.php
M wp-content/plugins/akismet/akismet.php
M wp-content/plugins/akismet/readme.txt
M wp-trackback.php
M readme.html
M wp-admin/includes/post.php
M wp-admin/includes/update-core.php
M wp-admin/post.php
! wp-admin/js/forms.js
! wp-admin/js/upload.js
M wp-admin/edit-attachment-rows.php
! wp-admin/import/btt.php
! wp-admin/import/jkw.php
M wp-admin/import/wordpress.php
! wp-admin/edit-form.php
! wp-admin/link-import.php
! wp-admin/images/media-button-gallery.gif
! wp-admin/images/tail.gif
! wp-admin/images/gear.png
! wp-admin/images/comment-stalk-classic.gif
! wp-admin/images/media-buttons.gif
! wp-admin/images/comment-stalk-rtl.gif
! wp-admin/images/tab.png
! wp-admin/images/comment-stalk-fresh.gif
! wp-admin/images/comment-pill.gif
! wp-admin/css/press-this-ie-rtl.css
! wp-admin/css/press-this-ie.css
! wp-admin/css/upload-rtl.css
M wp-admin/install.php
M wp-admin/page.php

Notice that some old files have been removed and others have been modified. (See http://codex.wordpress.org/Files_Automatically_Replaced_by_Core_Upgrade for details on all the old files that the automatic upgrader removes).

Next we schedule old files to be removed from svn:

$ svn st | grep ! | sed 's/! *//' | xargs svn rm;

Next we commit the modified files and the removed files:

$ svn ci -m "Upgrading to the latest version of WordPress 2.8.5"

That’s it. The WordPress automatic upgrade process does not interfere with .svn directories, and is therefore compatible with maintaining a deploy from Subversion workflow.

How to disallow browsing of .svn directories on your server

How to disallow browsing of .svn directories on your server

If you deploy projects live out of Subversion repositories to public web servers, here’s a good tip for denying access to the .svn directories to keep people from snooping around your files.

Edit your global Apache config file (httpd.conf) or .htaccess file to include the following directive:


# Disallow any .svn directory browsing
<directory ~ "\.svn">
Order allow,deny
Deny from all
</directory>

This will tell apache to not serve up any directories that are called .svn.

sell diamonds