soober99
Forum Replies Created
-
This problem has continued and even amped up recently, with a new twist!
The attempts to log-in are showing that they’re coming from MY IP address?
Ug. I didn’t notice this and added the range to my blacklist and now I’m locked out. I logged into my site via ftp and restored the backup .htaccess file and I’m still locked out.So two problems
– the barrage of failed login attempts from potential hackers and
– getting back into my wordpress without having to wait several days (I made the lockdown period loooong in hope of slowing the onslaught).Any help most appreciated.
SueI’m confused about how this sheds light on the issue I’ve been trying to solve for quite some time now: the rules are currently NOT protecting my site and I’m trying to figure out why and how to fix it.
One solution proposed by my ISP support is to start from scratch with the .htaccess file and methodically add in the rules to see what is causing the blacklist to fail (it appears to do nothing as described when I followed the suggestion to blacklist my own IP address).
I’d like to try this systematic approach, but I’m a bit out of my depth.
ok, I’ve pasted their reply below.
`My first suggestion would be to only use the .htaccess file inside the ‘content’ folder. Since .htaccess file rules apply to the directory that they live in, as well as all other sub-directories, it can happen that two or more .htaccess files are conflicting with one another. To verify this, try disabling each additional .htaccess file outside of the ‘content’ folder.
Next, certain .htaccess rules may be sensitive to where they are located within the .htaccess file and therefore cause an .htaccess not working issue. If upon adding an .htaccess rule you notice that it is not taking effect, try moving it above the previous rule or to the very beginning of your file.
Finally, your existing .htaccess file might have some bad syntax or other error. So depending on previous changes it might also be beneficial to start with a clean simplified .htaccess file containing just the basics of your WordPress sub-directory install and your security plugin changes.`
I’d done the fist thing they suggest which is to disable the .htaccess in the wordpress install directory (and copied that file one level up into the content dir). Note this is gonna make any changes created by WP plug-ins a chore to update manually.
The other two suggestions entail venturing out of my wheelhouse! There is a lot of stuff in the current .htaccess file created by All In One WP Security.
I’m including it in its entirety here:
# BEGIN All In One WP Security #AIOWPS_BASIC_HTACCESS_RULES_START <Files .htaccess> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order deny,allow Deny from all </IfModule> </Files> ServerSignature Off LimitRequestBody 10485760 <Files wp-config.php> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order deny,allow Deny from all </IfModule> </Files> #AIOWPS_BASIC_HTACCESS_RULES_END #AIOWPS_PINGBACK_HTACCESS_RULES_START <Files xmlrpc.php> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order deny,allow Deny from all </IfModule> </Files> #AIOWPS_PINGBACK_HTACCESS_RULES_END #AIOWPS_DEBUG_LOG_BLOCK_HTACCESS_RULES_START <Files debug.log> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order deny,allow Deny from all </IfModule> </Files> #AIOWPS_DEBUG_LOG_BLOCK_HTACCESS_RULES_END #AIOWPS_DISABLE_INDEX_VIEWS_START Options -Indexes #AIOWPS_DISABLE_INDEX_VIEWS_END #AIOWPS_DISABLE_TRACE_TRACK_START <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] </IfModule> #AIOWPS_DISABLE_TRACE_TRACK_END #AIOWPS_FORBID_PROXY_COMMENTS_START <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} ^POST RewriteCond %{HTTP:VIA} !^$ [OR] RewriteCond %{HTTP:FORWARDED} !^$ [OR] RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR] RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR] RewriteCond %{HTTP:X_FORWARDED_HOST} !^$ [OR] RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR] RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR] RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR] RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$ RewriteRule wp-comments-post\.php - [F] </IfModule> #AIOWPS_FORBID_PROXY_COMMENTS_END #AIOWPS_SIX_G_BLACKLIST_START # 6G FIREWALL/BLACKLIST # @ https://perishablepress.com/6g/ # 6G:[QUERY STRINGS] <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{QUERY_STRING} (eval\() [NC,OR] RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR] RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR] RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR] RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR] RewriteCond %{QUERY_STRING} (\|\.\.\.|\.\./|~||<|>|\|) [NC,OR]
RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
RewriteCond %{QUERY_STRING} (‘|\”)(.*)(drop|insert|md5|select|union) [NC]
RewriteRule .* – [F]
</IfModule># 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|put|trace|track) [NC]
RewriteRule .* – [F]
</IfModule># 6G:[REFERRERS]
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000,}) [NC,OR]
RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
RewriteRule .* – [F]
</IfModule># 6G:[REQUEST STRINGS]
<IfModule mod_alias.c>
RedirectMatch 403 (?i)([a-z0-9]{2000,})
RedirectMatch 403 (?i)(https?|ftp|php):/
RedirectMatch 403 (?i)(base64_encode)(.*)(\()
RedirectMatch 403 (?i)(=\’|=\%27|/\’/?)\.
RedirectMatch 403 (?i)/(\$(\&)?|\*|\”|\.|,|&|&?)/?$
RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\”\\”)
RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\|\s|\{|\}|\[|\]|\|)
RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
</IfModule># 6G:[USER AGENTS]
<IfModule mod_setenvif.c>
SetEnvIfNoCase User-Agent ([a-z0-9]{2000,}) bad_bot
SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot# Apache < 2.3
<IfModule !mod_authz_core.c>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
#AIOWPS_IP_BLACKLIST_2_3_START
Deny from 185.119.81.0/24
Deny from 202.164.60.0/24
#AIOWPS_IP_BLACKLIST_2_3_END</IfModule>
# Apache >= 2.3
<IfModule mod_authz_core.c>
<RequireAll>
Require all Granted
Require not env bad_bot
#AIOWPS_IP_BLACKLIST_2_4_START
Require not ip 185.119.81.0/24
Require not ip 202.164.60.0/24
#AIOWPS_IP_BLACKLIST_2_4_END</RequireAll>
</IfModule>
</IfModule>
#AIOWPS_SIX_G_BLACKLIST_END
#AIOWPS_FIVE_G_BLACKLIST_START
# 5G BLACKLIST/FIREWALL (2013)
# @ http://perishablepress.com/5g-blacklist-2013/# 5G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (\”|%22).*(<|>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:).*(\;) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (\\|\.\./|`|=’$|=%27$) [NC,OR]
RewriteCond %{QUERY_STRING} (\;|’|\”|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR]
RewriteCond %{QUERY_STRING} (base64_encode|localhost|mosconfig) [NC,OR]
RewriteCond %{QUERY_STRING} (boot\.ini|echo.*kae|etc/passwd) [NC,OR]
RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC]
RewriteRule .* – [F]
</IfModule># 5G:[USER AGENTS]
<IfModule mod_setenvif.c>
# SetEnvIfNoCase User-Agent ^$ keep_out
SetEnvIfNoCase User-Agent (binlar|casper|cmsworldmap|comodo|diavol|dotbot|feedfinder|flicky|ia_archiver|jakarta|kmccrew|nutch|planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspider|zmeu) keep_out
<limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from env=keep_out
</limit>
</IfModule># 5G:[REQUEST STRINGS]
<IfModule mod_alias.c>
RedirectMatch 403 (https?|ftp|php)\://
RedirectMatch 403 /(https?|ima|ucp)/
RedirectMatch 403 /(Permanent|Better)$
RedirectMatch 403 (\=\\\’|\=\\%27|/\\\’/?|\)\.css\()$
RedirectMatch 403 (\,|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\||\\\”\\\”)
RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php$
RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107\_)
RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae|config\.xml)
RedirectMatch 403 \.well\-known/host\-meta
RedirectMatch 403 /function\.array\-rand
RedirectMatch 403 \)\;\$\(this\)\.html\(
RedirectMatch 403 proc/self/environ
RedirectMatch 403 msnbot\.htm\)\.\_
RedirectMatch 403 /ref\.outcontrol
RedirectMatch 403 com\_cropimage
RedirectMatch 403 indonesia\.htm
RedirectMatch 403 \{\$itemURL\}
RedirectMatch 403 function\(\)
RedirectMatch 403 labels\.rdf
RedirectMatch 403 /playing.php
RedirectMatch 403 muieblackcat
</IfModule># 5G:[REQUEST METHOD]
<ifModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F]
</IfModule>
#AIOWPS_FIVE_G_BLACKLIST_END
#AIOWPS_PREVENT_IMAGE_HOTLINKS_START
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(.*)?\.sueborchardt\.com/sueBlog [NC]
RewriteRule \.(gif|jpe?g?|png)$ – [F,NC,L]
</IfModule>
#AIOWPS_PREVENT_IMAGE_HOTLINKS_END
# END All In One WP Security# BEGIN WordPress
# The directives (lines) between “BEGIN WordPress” and “END WordPress” are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /sueBlog/
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /sueBlog/index.php [L]
</IfModule># END WordPress
`Followed steps and was still able to log in using a private browser after adding my IP address using Blacklist manager.
I also confirmed the .htaccess file had been edited with my IP address added.Sooooo, I went looking on my server to make sure there was only one .htaccess and it turns out there IS more than one.
The wordpress .htaccess that appears to be updated is in the folder:
/www.sueborchardt.com/web/content/sueBlog (this is where my wordpress is installed)But I also found an .htaccess file in /www.sueborchardt.com/web/content
So, I copied the one from the wordpress dir into this spot and it still lets me log in from my IP address.Is the next step to put in a support request with my webhost?
Many thanks,
SueI just noticed this was marked as resolved but it is anything but! (so I unresolved it).
I am still getting regular user lockout messages from the same domain range.
Is there really no way to get the .htaccess IP range to do its thing?- This reply was modified 3 years, 10 months ago by soober99.
ug — yes, the issue persists. I got a couple more last night:
A lockdown event has occurred due to too many failed login attempts or invalid username: Username: 30 IP Address: 185.119.81.106 IP Range: 185.119.81.*Thanks for the careful read.
I will cut and past from various sources to make sure I don’t make any typos:in a recent lockdown email I’m seeing IP Address: 185.119.81.107
in blacklist manager I’ve got 185.119.81.*
and in the .htaccess file I’ve got: Require not ip 185.119.81.0/24So it looks like the typo was in my forum posts only.
Note: I haven’t had a lockdown event since Tuesday when I checked the disable pingback box as you suggested. Wondering if that fixed it.
I’ve had multi-day gaps before where I think I’ve succeeded.Will follow-up if I get another from same IP range.
Many thanks,
SueThanks so much for taking the time to reply.
I might not have made it clear in my original post but in the blacklist manager I have entered the wildcard as you suggested (in my case 185.118.81.* is the source of all the lockdown events I’m getting).I also posted the resulting contents of my .htaccess file (presumably as a result of the action I took in the blacklist manager).
Note that even though the blacklist manager shows a wildcard, the htaccess file does not.
Can I just go in an edit the .htaccess file directly?
Many thanks,
SueI had already checked the box labeled: Check this if you are not using the WP XML-RPC functionality and you want to completely block external access to XMLRPC
I just checked the other as well but the help text seems to say that you’d use one or the other of these features. Dunno, that’s over my head.
Btw, I also enabled some simple math captcha and I’m still getting these lockouts so guessing this is someone trying to get in by hand (i.e. not a bot).
They are all from the same IP range though. I guess I’m still a bit surprised that there is no way to block an IP range. Is this correct?
Forum: Themes and Templates
In reply to: [Twenty Seventeen] Theme Options missingthank you Michael!
Your hints were enough to get the whole paralax thing working.
I feel like a dolt, but the trick was just to select static page on the Homepage Options and then the menus showed up. I already had a bunch of published pages created, but only once I selected two existing pages for home and posts did the Theme Options item appear in the Theme customizer.
(for others who stumble on this… just clicking on the customizer from anywhere shows the Theme Options — don’t need to be on a page)Sadly, it looks like all my embeds are broken in the posts area now so not sure I’m gonna stick with the theme. They posts only show up as text summaries. Since most of my posts are just embedded vimeo vids it pretty underwhelming.
Thanks again for getting me unstuck
and another update:
I’m focusing on website#2 right now: http://www.contemplatethis.org since my host support team got website #1 up (though I still can’t log into the dashboard!).I did a FRESH wordpress install of latest version (5.0.3) and still unable to load.
Getting the following in the php_errors.log
[17-Feb-2019 23:00:07 UTC] PHP Deprecated: __autoload() is deprecated, use spl_autoload_register() instead in /mnt/stor9-wc1-dfw1/652629/665799/www.contemplatethis.org/web/content/wordpress/wp-includes/compat.php on line 502
[17-Feb-2019 23:00:07 UTC] PHP Deprecated: Function create_function() is deprecated in /mnt/stor9-wc1-dfw1/652629/665799/www.contemplatethis.org/web/content/wordpress/wp-includes/pomo/translations.php on line 208
[17-Feb-2019 23:00:07 UTC] PHP Warning: Cannot modify header information – headers already sent by (output started at /mnt/stor9-wc1-dfw1/652629/665799/www.contemplatethis.org/web/content/wordpress/wp-includes/compat.php:502) in /mnt/stor9-wc1-dfw1/652629/665799/www.contemplatethis.org/web/content/wordpress/wp-includes/pluggable.php on line 1210a bit more on this: my hosting company got the site#1 loading but I’m still not able to log in. I get this error in the php_errors.log file when attempting to access the WP control panel:
[17-Feb-2019 16:33:43 UTC] PHP Fatal error: Uncaught Error: Cannot create references to/from string offsets in /mnt/stor9-wc1-dfw1/652629/665799/www.sueborchardt.com/web/content/sueBlog/wp-includes/user.php:54
Stack trace:
#0 /mnt/stor9-wc1-dfw1/652629/665799/www.sueborchardt.com/web/content/sueBlog/wp-login.php(770): wp_signon(”, ”)
#1 {main}
thrown in /mnt/stor9-wc1-dfw1/652629/665799/www.sueborchardt.com/web/content/sueBlog/wp-includes/user.php on line 54The second site appears to have WP_DEBUG turned ON (according to my helper at my host) but I have no idea how this would have happened!
Is there a way to manually turn it off? I assume there’s a way to do this via the WP control panel, but I can’t log into that on site#2 either. When I try to bring up the login page I get this:
Deprecated: __autoload() is deprecated, use spl_autoload_register() instead in /mnt/stor9-wc1-dfw1/652629/665799/www.contemplatethis.org/web/content/wordpress/wp-includes/compat.php on line 502Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Alizee_Recent_Posts has a deprecated constructor in /mnt/stor9-wc1-dfw1/652629/665799/www.contemplatethis.org/web/content/wordpress/wp-content/themes/alizee/widgets/recent-posts.php on line 3
Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Alizee_Video_Widget has a deprecated constructor in /mnt/stor9-wc1-dfw1/652629/665799/www.contemplatethis.org/web/content/wordpress/wp-content/themes/alizee/widgets/video-widget.php on line 3
Deprecated: Function create_function() is deprecated in /mnt/stor9-wc1-dfw1/652629/665799/www.contemplatethis.org/web/content/wordpress/wp-includes/pomo/translations.php on line 208
Deprecated: Function create_function() is deprecated in /mnt/stor9-wc1-dfw1/652629/665799/www.contemplatethis.org/web/content/wordpress/wp-includes/pomo/translations.php on line 208
Warning: Cannot modify header information – headers already sent by (output started at /mnt/stor9-wc1-dfw1/652629/665799/www.contemplatethis.org/web/content/wordpress/wp-includes/compat.php:502) in /mnt/stor9-wc1-dfw1/652629/665799/www.contemplatethis.org/web/content/wordpress/wp-includes/pluggable.php on line 1210
I’ll keep banging away on this but would welcome hints and help.
SueI checked my control panel and it’s set to
Linux / Apache / PHP 7.2
I think the change to PHP 7.2 happened automatically within the last couple days. I suspect that’s what caused everything to go south. In their defense, my hosting co sent out a notice of this months ago but I had no clue of the ramifications.I had my wordpress site setup to automatically update and near as I can tell the most recent auto update was in December to 4.0.25.
Next step?
Thanks so much for the reply!!
Sue