WordPress websites under attack…again
Last year, it was the wp-login.php brute force attack where bots kept trying to log on to websites by guessing the user name and password.
A basic step in protecting a WordPress website is not to have a user called ‘admin’.
For the last two weeks, there has been a wave of new attacks.
The new brute force attack tries to exploit XMLRPC in WordPress.
I was seeing thousands of requests to /xmlrpc.php per minute today.
I immediately went to cloudflare control panel and changed the Basic protection level to “I am under attack”. This gave me some breathing space while I figured out how to deal with this.
My first guess was to simply deny http access to that file.
<Files "xmlrpc.php">
Order Allow,Deny
deny from all
</Files>
However, this isn’t very effective as it will generate a mass amount of 404 pages which WordPress still has to process. It is no better than deleting the file itself.
As a final resort, I used a htaccess rule to redirect access away from the file.
The advantage of this is no high CPU or memory usage.
I added the following code to my .htaccess file
RewriteRule ^xmlrpc\.php$ "http\:\/\/0\.0\.0\.0\/" [R=301,L]
This is not an optimal permanent solution but it will have to do for now unless someone has a better suggestion 🙂 . The attack itself lasted over 8 hours.
Update: The vulnerability that caused this denial of service has been fixed in WordPress 3.9.2 and the above workaround should no longer be needed.
Posted: August 4, 2014 under articles.
Tags: wordpress
Comments: none
System Administrator Appreciation Day
It’s on the 25th of July this year which is today and there is even a website for it.
A day to appreciate the people who keep our websites, databases, applications and internet connections running.
But…umm…this doesn’t look quite right.
Posted: July 25, 2014 under articles.
Tags: Funny
Comments: none
Scheduling virus scans on Arch Linux
Virus threats under Linux are mostly negligible. But I might still want to keep my system free from virus infected downloads and such. There is no need for on-access scanning and a weekly disk scan should do.
Under Arch Linux, I have clamav installed with freshclam service enabled so it auto updates the virus signatures.
Let us say I want to scan my /home partition once a week.
I will create a unit file /etc/systemd/system/clamscan.service
[Unit]
Description=Home Directory Virus Scan[Service]
Type=oneshot
ExecStart=/usr/bin/clamscan --log=/var/log/clamav/clamd.log --remove=yes --recursive /home/ --infected
Nice=19
IOSchedulingClass=best-effort
IOSchedulingPriority=7
and a timer file /etc/systemd/system/clamscan.timer
[Unit]
Description=Home Directory Virus Scan[Timer]
OnCalendar=weekly
AccuracySec=12h
Persistent=true[Install]
WantedBy=multi-user.target
Finally I can type:
systemctl enable clamscan.timer
systemctl start clamscan.timer
Running systemctl list-timers shows the active systemd timers.
And that’s it. Now clamav will scan the /home partition once a week, delete infected files and log its activity to clamd.log 🙂 .
Posted: April 13, 2014 under articles.
Tags: clamav, Linux, systemd
Comments: none
Berlin, the first city with its own TLD
The top-level domain .BERLIN publicly was made available for domain registration earlier this week. This makes Berlin the first city in the world to have its own top-level domain. Until now, most German businesses and organizations used Germany’s .DE TLD but it is now possible for local companies and Berlin residents to register an internet addresses under .BERLIN instead. This makes it easier for people to tell where a business is located.
If it doesn’t exist already, I would like to see a .BEIRUT as it may encourage more local businesses to make an online presence outside social media.
Posted: March 23, 2014 under articles.
Tags: Internet
Comments: none
Banks to pay for extended Windows XP support
In today’s news, the internet is outraged at big banks such as HSBC for claiming they can pay Microsoft a lot of money to extend support for the embedded edition of windows XP which powers their ATMs. Current extended support is scheduled to end this April.
By “the internet”, I mean people who read a lot of useless articles on the internet and comment on them…you know…like myself!
Posted: March 15, 2014 under articles.
Tags: Funny
Comments: none
Recent Comments