How to capture data sent by POST ?

You can do a POST to any URL, regardless of what the URL repsonds with. The POST happens before the response, so whatever system is doing this won’t see your 403 until after the POST has been done. There’s a few 1,000 systems out there that do these things. Soem of them are for more “white-hat” reasons where they are trying to create accounts and log in to add posts and comments to your site, but others are designed to break into the site to try and take it over for whatever reason.

Getting POST data is easy in PHP. Every value sent via POST is stored in the suer-global $_POST array, if there’s anything extra sent by GET it’s in the $_GET array, and both are “combinied” in the $_REQUEST array. You can dump any or all of those into a log or an email when ever anyone attempts a log in by using login hooks.

Thanks for your reply, very informative. ??

You can dump any or all of those into a log or an email when ever anyone attempts a log in by using login hooks.

I would prefer them by email, as I get an email now. I did try this ..

$post_array = $_POST;
$get_array = $_GET;

and then $post_array and $get_array are contained in the body part of the email. Not sure if that is the method to send a complete array though ??

No, it’s not. If you do it that way you’ll onlt get them output as ‘Array’. PHP doesn’t automatically print array values out like that.

The way to do it is something like this:

$post_array = var_export ($_POST, true);

There’s more ways to do it then this, but this is a good starting point.

Thanks, that worked fine.

I have had a lot of attempts to POST to /wp-login, so modified the emails I get, to see what was in various arrays. There are 3 arrays put out now, being $_POST, $_GET and $_SERVER, as follows:

array (
)
array (
)
array (
‘CONTENT_LENGTH’ => ’97’,
‘CONTENT_TYPE’ => ‘application/x-www-form-urlencoded’,
‘DOCUMENT_ROOT’ => ‘/home/********/public_html’,
‘GATEWAY_INTERFACE’ => ‘CGI/1.1’,
‘HTTP_ACCEPT’ => ‘*/*’,
‘HTTP_HOST’ => ‘example.com’,
‘HTTP_USER_AGENT’ => ‘Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1); .NET CLR 3.5.30729)’,
‘PATH’ => ‘/bin:/usr/bin’,
‘QUERY_STRING’ => ”,
‘REDIRECT_REQUEST_METHOD’ => ‘POST’,
‘REDIRECT_STATUS’ => ‘403’,
‘REDIRECT_UNIQUE_ID’ => ‘UTDeI8wPhjQAADEtfXYAAAAC’,
‘REDIRECT_URL’ => ‘/wp-login.php’,
‘REMOTE_ADDR’ => ‘188.143.232.30’,
‘REMOTE_PORT’ => ‘1393’,
‘REQUEST_METHOD’ => ‘GET’,
‘REQUEST_URI’ => ‘/wp-login.php’,
‘SCRIPT_FILENAME’ => ‘/home/********/public_html/403error.php’,
‘SCRIPT_NAME’ => ‘/403error.php’,
‘SERVER_ADDR’ => ‘204.15.***.***’,
‘SERVER_ADMIN’ => ‘[email protected]’,
‘SERVER_NAME’ => ‘example.com’,
‘SERVER_PORT’ => ’80’,
‘SERVER_PROTOCOL’ => ‘HTTP/1.1’,
‘SERVER_SIGNATURE’ => ”,
‘SERVER_SOFTWARE’ => ‘Apache’,
‘UNIQUE_ID’ => ‘UTDeI8wPhjQAADEtfXYAAAAC’,
‘PHP_SELF’ => ‘/403error.php’,
‘REQUEST_TIME’ => 1362157091,
‘argv’ =>
array (
),
‘argc’ => 0,
)

There is nothing in the first 2 arrays, yet the attempt to login was a POST ? Am I missing something ?

Pete

If it’s a POST request, you will see the $_POST array. The $_GET array only receives values that are sent via the URL (eg: page.php?id=15). The $_SERVER array indicated your servers values/settings, so should really not be a concern for you in this case. If there’s nothing in the $_POST Array then that means that no values were sent via the POST protocol. That’s either a broken hacking/spam registration software package or an attempt to break into the system. All that I’d suggest is to keep an eye on the IP addresses that it’s coming from and see if there’s any correlation in that value.