What file permissions are needed while editing?

…if you want to work with your own files via FTP instead of having BPS create them for you…

For the record here, I do not plan to do any more of that. Where it might have taken a coder only about an hour or two to figure out and add about a dozen lines of code at the BPS Custom Code editor, I was doing all that by trial-and-error via FTP over the course of about a week…and I had begun with what BPS had first made for me with its Create secure.htaccess AutoMagic buttons. But I have now just been through all the Bulletproof Mode and Backup buttons at each site and see no need for doing anything more via FTP.

Please let me know if you ever run short of grounds at the coffee pot!

Question: Would these two extra lines (commented out at the moment) add anything to the protection BPS already provides?

# BRUTE FORCE LOGIN PAGE PROTECTION
# Protects the Login page from SpamBots & Proxies
# that use Server Protocol HTTP/1.0 or a blank User Agent
RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$
#RewriteCond %{REQUEST_URI} ^/wp-admin$
#RewriteCond %{REQUEST_URI} ^(.*)?wp-comments-post\.php(.*)$
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
RewriteRule ^(.*)$ - [F,L]

Yes, they would add additional protection. I would combine all URI’s into one RewriteCond. I have not tested this code so I do not know if it will break anything so do thorough testing on your website.

# BRUTE FORCE LOGIN PAGE PROTECTION
# Protects the Login page from SpamBots & Proxies
# that use Server Protocol HTTP/1.0 or a blank User Agent
RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*|/wp-admin|.*wp-comments-post\.php.*)$
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
RewriteRule ^(.*)$ - [F,L]

I would combine all URI’s into one RewriteCond.

Many thanks!

Edit: Please excuse my initial post while missing what you had done there.

I saw this code you posted in the link below and it looks great for preventing mass Brute Force probing. We have also been looking at and testing some other code that is similar to this code. So probably in the next BPS version we will add another Bonus Code Dismiss Notice.

https://www.ads-software.com/support/topic/wp-beginner-security-question?replies=12#post-4862678

Cool beans.

PS: I currently have all of that together like this:

# BRUTE FORCE LOGIN PAGE PROTECTION
#### br04 as modified by AITPro for testing (nnysandbox) on 20131110
### https://www.ads-software.com/support/topic/what-file-permissions-are-needed-while-editing?replies=20#post-4862704
# Protects the Login page from SpamBots & Proxies
# that use Server Protocol HTTP/1.0 or a blank User Agent
RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*|/wp-admin|.*wp-comments-post\.php.*)$
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
RewriteRule ^(.*)$ - [F,L]

Links such as https://www.mydomain.com/page-one/+%22post+a+comment%22+subscriber&ct=clnk were already returning 404s for me, but I do not know whether that is the same as above in relation to wp-comments-post. So, I just added the above and will watch to see what happens.

%22 is the URL encoded double quote coding characters and should not be used in URLs. Most likely this is being caused by a plugin or theme that is doing something wrong with magic_quotes. Or maybe the double quotes have been added by mistake. BPS has 2 security filters that will block the double quote coding characters in URLs since these can be used against your website in attacks. My hunch is that a combination of the double quotes and “select” in the Form are causing the 404 error, but the error is really a 403 error that is mistakenly being seen as a 404 error. The SQL Injection security filter is the most likely filter that would be blocking URLs with double quotes in them.

/page-one/”post+a+comment”+subscriber&ct=clnk

https://stackoverflow.com/questions/17187673/22-double-quotes-added-to-url-out-of-nowhere

User Agent filter
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]

SQL Injection filter
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

BPS has 2 security filters that will block the double quote coding characters in URLs since these can be used against your website in attacks.

Please forgive me for not being clear since the kind of https://www.mydomain.com/page-one/+%22post+a+comment%22+subscriber&ct=clnk link I had mentioned is coming from ‘bots…and now I know how they end up as 404s!

Thanks again.

Oh ok. I thought maybe you thought this was a problem, but obviously you are aware that these malicious bot probes/attacks are being blocked already. ??

After testing many variations of bot probe code this code works the best.

# WP AUTHOR ENUMERATION BOT PROBE PROTECTION
# Redirects to author=999999 that does not actually exist
# which results in a standard 404 error. To the hacker bot
# it appears that this author does not exist without giving
# any clues that the author does actually exist.  

RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
RewriteRule ^(.*)$ $1?author=999999 [R=301]

Actually the L flag is better to avoid any possible redirect looping.

# WP AUTHOR ENUMERATION BOT PROBE PROTECTION
# Redirects to author=999999 that does not actually exist
# which results in a standard 404 error. To the hacker bot
# it appears that this author does not exist without giving
# any clues that the author does actually exist.  

RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
RewriteRule ^(.*)$ $1?author=999999 [L]

Ah, okay, and thanks again. I had only tested to 99!

How much trouble would it be to make the new code just go to “Home” rather than returning a 404?

RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
RewriteRule ^(.*)$ $1?author=999999 [L]

Is that as simple as changing [L] to [L,R=301]?

In our case, the issue is anonymity and that is why we also have this:

# send /author/ scans to Home Page
RedirectMatch (?i)^/author.*$ /

Edit: After changing [L] to [L,R=301] and trying www.nnysandbox.net/?author=0, I ended up at https://www.nnysandbox.net/?author=999999 and “Firefox has detected that the server is redirecting the request for this address in a way that will never complete.”

If you are using a 404.php Theme template file then by default your 404.php template file should be loaded within your Theme’s other template files. Hacker Bot probes will most likely be done using the root domain URL and not any deeper than the root URL. The 404 error is natural so that the hacker bot will not think that author ID / User ID actually exists, which is the ideal scenario.

Example test site results

www.ait-pro.com/verum/?author=1
www.ait-pro.com/verum/sample-page/?author=1

In our case, the issue is anonymity and that is why we also have this:

I don’t understand what this statement means above? If anything is viewable to the public on the Internet it can be found and cannot be made to be anonymous or hidden – that is not possible on the Internet if something is publicly viewable.

To redirect the Query String you would first probably have to disable your 404.php template file or maybe create a custom ErrorDocument rule. I will see if this is possible without creating a big mess / wrecking normal template functionality on a website.