HTACCESS file editing (re: recent WP cracking)

  • Nicki Faulk

    (@nitallica)


    18 years ago

    After reading the 2.1.2 announcement, I promptly modified the .htaccess file for each of my WP installations to include the following:

    RewriteCond %{QUERY_STRING} ^(.*)ix= [OR]
RewriteCond %{QUERY_STRING} ^(.*)iz=
RewriteRule ^.*$ https://127.0.0.1/ [R,L]

RedirectMatch (.*)theme.php$ https://127.0.0.1/$1
RedirectMatch (.*)feed.php$ https://127.0.0.1/$1

    I wanted to pop on here to make sure that would cover it … and make sure I hadn’t overlooked anything. (as I hadn’t seen any suggestions posted regarding this)

    Thanks!

    Nicki

Viewing 9 replies - 1 through 9 (of 9 total)
  • deko

    (@deko)

    Even better wd be to redirect to a page on the WP.org site that would log the IP/domain/geo location of the visitor so we cd display to the world who is trying this stuff. I have a script that wd do this if ur interested.

    These questions remain:

    • What, exactly, are the vulnerabilities in the hacked 2.1.1 files and how are they exploited?
    • What should I check for to know if my blog has been compromised or not?
    • Do I need to change my blog’s passwords?
    Aaron Brazell

    (@technosailor)

    The details of the exploit were published by Ivan Fratric (the security guy who reported the situation) here.

    https://ifsec.blogspot.com/2007/03/wordpress-code-compromised-to-enable.html

    This is indeed quite dangerous.

    deko

    (@deko)

    Thanks for that important link.

    Thread Starter Nicki Faulk

    (@nitallica)

    Very nice, thank you! ??

    cheese500

    (@cduke250)

    Better yet

    RewriteCond %{QUERY_STRING} (ix|iz)
RewriteRule .* - [F]

    Thread Starter Nicki Faulk

    (@nitallica)

    Ooh, even better! I knew someone may have a more elegant way of doing this. Thanks, cduke250! ??

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    You can also just check your blog’s running code for the actual problem. I checked, and I appearantly did not download the bad code at any point.

    Or just upgrade to 2.1.2 if you had 2.1.1. No need to do this sort of block in .htaccess. Blocks like this should be sitewide if they are to be done.

    Thread Starter Nicki Faulk

    (@nitallica)

    I knew that I was not at risk, but would rather block the attempts so as to deter them. ??

    cheese500

    (@cduke250)

    Or just add this.. 

    <FilesMatch "(theme|feed)\.php$">
order allow,deny
deny from all
</FilesMatch>

    but Otto42 has the best advice.

    Using FilesMatch

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘HTACCESS file editing (re: recent WP cracking)’ is closed to new replies.