WordPress

So hackers and wannabe-hackers probe sites for the presence of setup.php in various real and imagined and software-guessed directories.

How do I attack and/or block such probes via an .htaccess file?

Here are some code snippets I’ve seen across the Web:

<FILES setup.php>
Order allow,deny
Deny from all
</FILES>

RewriteRule ^(.*)setup\.php$ http://www.google.com/ [NC]

RewriteRule setup\.php$ http://www.google.com [NC,L]

RewriteRule setup\.php$ – [G]

RewriteRule setup\.php$ – [F]

If any of those work, which is the best?

And if there’s a better way than any of the above, what is it?

Thanks!

Update at 8:46 pm: At this point, I’m using

RewriteEngine On
# 403-Forbidden
RewriteRule setup\.php$ – [F]

Along with an order allow,deny set-up denying access to a huge pile of IPs out of China.

Lorrelle is urgently warning:

Otto42 of OttoDestruct, a key WordPress developer and supporter, reports that there is an “attack” on older versions of WordPress right now. The number of sites hit by this is growing every hour. Protect your WordPress blog now: UPDATE NOW!!!

Update your WordPress blog before you continue reading this post. That’s how critical this issue is.

If you blog with a private installation of WordPress, heed the warning. Update now.

Then read the rest of what Lorrelle on WordPress has to say: Old WordPress Versions Under Attack.

Mark Ghosh of weblogtoolscollection weighs in as well:

Older version of WordPress are being attacked and characters are being added to the permalinks. Sure signs of the attack include strange characters in your permalinks (single posts do not work) and an extra administrator account in the users control panel which you cannot see. Look for the administrator count in brackets at the top. Is the number there what you would expect on your blog?

Please upgrade your WordPress blog to the latest version ASAP. Our own PluginBlog was vulnerable and was compromised (shame on me for not having upgraded from a really old version). Our blog had registration turned off.

After upgrading your blog and changing your password to a strong one, you can visit Lorelle’s post to find more ways to secure your install and remove the extra admin account that might have been created as part of the attack.

If your WordPress blog is not hosted at wordpress.com — I urge you to update your installation. Now!

They helped cause a spike on this site that led to my host suspending the domain.

After at least 30 hours of being suspended, I was allowed to bring the domain back online. Since then, I’ve been monitoring its bandwidth consumption. And particularly watching two bots: Googlebot and Yahoo! Slurp.

I also set up robots.txt to severely restrict bot access to this domain.

Googlebot is behaving; Slurp appears not to be.


Robots/Spiders at 6:53 am on 10/18/08
  Yahoo Slurp  7785+312  156.18 MB  09:46
  Googlebot    4411+33   111.47 MB  02:42

Robots/Spiders at 7:20 am on 10/19/08
  Yahoo Slurp  8357+334  164.00 MB  10:05
  Googlebot    4413+35   111.53 MB  03:59

I checked my recent accesses…and found a whole bunch by Yahoo. 🙁

Read it all