Dec 14, 2008
Embracing Wordpress - If you can’t beat’em, join’em
Tellinya.com is relocating
I'll be moving in here. I'm branding my domain and my 'name' and starting fresh here with a new blog. Slowly I'll start forwarding pages on the old blog here but, first things first. Do update your feeds and starting grabbing the new juice from here.
I've finally moved to Wordpress
It had to be done as my previous blog's control panel was just a bit better than by hand SQL management. On the other hand Wordpress has the all pretty and widgety Control Panel and themes and it makes things a lot easier.
I decided to give Wordpress a chance but first had to fix the major problems it has. Duplicate content issues and security vulnerabilities. I've installed it on another domain couple of days ago and already had a dumb fk trying to sql blindfish his way into it. I know the method ... used it a lot on Wp2.1.x. But the event was unacceptable and I had to add an unobtrusive extra layer of protection to the Wordpress core. No democracy here!
Introducing the Wordpress 5hield
I've pretty much overcome all the problems creating The 5hield! It is nothing fancy ... being modest here ... but a script that resides between the server and all the Wordpress PHP files and applies some rules before it grants Wordpress access to take over and produce the output. Try to access my /wp-admin or /wp-rss.php to see what I'm talking about. Also add a query string to any page (?s= works as that's search) and see how it goes. Had to disable query strings from working except a few that have to stay enabled and I'll be tweaking things along the way.
The plugins - I love the plugins
I also wrote a bunch of plugins for Wordpress that do magic. Spent my last 3 days writing plugins. Made a few but the coolest is the cookie 5tuffing plugin. It's insane. I had this technique implemented in many of my sites but the Wordpress Widgets and MetaBoxes made porting so easy. I'm currently working on a cloaking plugin and other 'cute' tools.
I'll share some of my Wordpress Plugins right here as I'm pretty sure most of you could use them :) So stick around, writing is easier now and it will happen more often than before. Still got some things to nail out with Wordpress and write plugins to fix those things for me. Don't even tell me my plugins are already made and available for free. I always roll my own.
The downside of Fancy Wordpress
One thing pi$$es me off real bad. The control panel loads like sheet. It's slow, compared to what I'm used to, it's really slow, even loading it locally. It's the price we gotta pay for the blings.
Btw ... I'm using WP2.7 ;) Don't try to hack it. And have mercy with this butchered theme. I'm making my own right now but it's still cooking. Meanwhile, deal with this one :)
Here are some commands that you can add to your apache config file if you have mod_rewrite enabled to lock it down even further with pretty low overhead:
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)(|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{HTTP_COOKIE} ^.*(|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:||”>|”<|/|\\\.\.\\).{0,9999}.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(;||’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*\.[A-Za-z0-9].* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(|’|%0A|%0D|%27|%3C|%3E|%00).* [NC]
These do look like the ones. Especially the query strings are indeed the ones used for evil. I know them intimately ;)
But instead of adding them to htaccess I’ll add them to the 5hield’s rules.
Thanks.
PS: The initial HEAD may be a problem by blocking trackbacks and such. The XMLRPC address is discovered using HEAD to avoid full page loads.
look forward to seeing your ideas on security of wp man, I think everyone knows its got its holes - and the new layout will hopely been streamlined a bit because its slowness is slowing me down to!
I’m currently doing WP Discovery :) Writing plugins to share code easily inside posts and so on.
Wordpress’s glory stands in it’s Admin Panel but there’s where the slowness is also.
Hi,
I was looking for the XMLRPC code from your old blog (post 174). I’d like to be able to post to blogs/sites using XMLRPC, and this code would be awful handy. Any chance you’ll share it in the near future?
Thanks!
B
It will be for sale for a small fee … maybe right after Easter.
A very updated and fixed version. It’s a money script and it’s not free anymore.
Sounds good. I’m subscribed to your feed so just make a post.