Tag Archives: Wordpress

WordPress Comment Spam

2014-Oct-06

Not only are bots trying to beat on sshd, but they were also annoying me with comment spam.

 

Only 4 attempts per hour to talk to sshd so far.  That will pick up.

$ uptime && iptables -vnL | grep tcp\ dpt\:22
11:29:15 up 18:45,  1 user,  load average: 0.00, 0.01, 0.05
74  3456 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22

 

Inspired by http://mywifequitherjob.com/how-to-prevent-comment-spam-from-crashing-your-wordpress-blog-and-taking-down-your-server/, I installed the Cookies for Comments WordPress plugin and made one tweak to my lighttpd.conf

$HTTP["url"] =~ "^/wp-comments-post.php.*$" {
	$HTTP["cookie"] !~ ".*f88ca0021aa9ade19e8258a9d4637c66.*" {
		url.access-deny = ( "" )
	}
}
$HTTP["url"] =~ "^/wp-login.php.*$" {
	$HTTP["cookie"] !~ ".*f88ca0021aa9ade19e8258a9d4637c66.*" {
		url.access-deny = ( "" )
	}
}
$HTTP["url"] =~ "^/xmlrpc.php.*$" {
                url.access-deny = ( "" )
}

That’s the real cookie value for this site, this is what it’s for if you see it in the cookies list,  and you can see where it shows up in the source code of this page.  Bonus points when, after seeing some log entries for some of these,  I realized it would also work for simple brute-force login robots as well.  Scope creep as a feature!

If you are trying to GET/POST the comments .php file,  AND you don’t have this cookie value set,  then go straight to 403 Forbidden.  Do not load php and jam up system resources, do not try to show a nice error message.

Will now go open up comments the way I wanted to originally and wait and see if this means problem solved or at least significantly reduced.

Future development,  if it becomes more of a problem:   Fail2ban, perhaps working an iptables tarpit.

Migrating WordPress blog to a new VPS

2014-Oct-06

Lesson learned:  stay away from service providers who try to be everything.

If the service provider thinks that being a domain name registrar, DNS host, web host, and email hosting are all one and the same “hosting” – R U N   A W A Y.   If you don’t – then you deserve everything you get, with interest.  Including the extra advertising popup you are forced to step past in order to actually get into your account control panels.

The experiment to try a blog at a hosting company only lasted 4 months.

In the end, it took one SSL certificate to do them in.   Their automation broke because they don’t host email for my domain,  and some really bizarre ideas came up after their customer support discovered that they also didn’t host my DNS.    Part of the extra confusion is my responsibility.  I have a tendency to tell tech support people too much,  and they have a tendency to focus intently on a detail that is most likely irrelevant to the issue at hand.

When compared to the hosted solution and the amount of effort I spent trying to communicate with customer service –   it turns out I can spend less effort and, actually, also less dollars to manage my own VPS.  While the initial set up effort is much higher,  the ongoing maintenance effort is less and much more satisfying than dealing with confused support and still getting nowhere.

Anybody with a bit of whois-fu can dig up that the new provider is RamNode,  well reviewed at http://lowendbox.com/.   I even get much better latency from home to Seattle than Boston.

It’s much much too early to form an opinion about them because nothing’s gone wrong yet.

 

 

Migrating WordPress to a VPS

Get the VPS going

Continue reading

WordPress modifications

2014-May-19

Trying a hosted blog for things I may want to refer to later and things that I want to share. Needed something with a proper backend – mostly for tagging and menu interfacing, and with an easy enough to use interface that it doesn’t impede putting out content that I want to.

The initial temptation was to fire up a new VPS, install all the individual packages, and really get it tweaked in exactly the way I wanted. Instead I’m trying a hosted platform, and only doing easy tweaks to it.

Internet items without a timestamp on them are almost as annoying as ones that use an ambiguous date format.


Modified content.php, added:

<?php echo get_the_date('Y-M-d H:i D'); ?>

Then later changed it to:

<?php echo get_the_date('Y-M-d'); ?>

Since the date/time is now at the top, also modify functions.php – function twentytwelve_entry_meta()
*2014-10-05 this is no longer the case, didn’t make this change with the change in hosts.

if ( $tag_list ) {
$utility_text = __( ‘This entry was posted in %1$s and tagged %2$s on %3$s<span class=”by-author”> by %4$s</span>.’, ‘twentytwelve’ );
} elseif ( $categories_list ) {
$utility_text = __( ‘This entry was posted in %1$s on %3$s<span class=”by-author”> by %4$s</span>.’, ‘twentytwelve’ );
} else {
// $utility_text = __( ‘This entry was posted on %3$s<span class=”by-author”> by %4$s</span>.’, ‘twentytwelve’ );
}