Shin

Blocking WordPress xmlrpc.php scans

My server was frying at 100% cpu usage when I saw my apache log filled with these:
x111.com 80.82.78.166 - - [17/Oct/2014:15:28:16 +0200] "POST /xmlrpc.php HTTP/1.0" 200 - "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
Apparently there are bots going around hammering sites that have WordPress running to try and abuse xmlrpc to ddos other sites.
I tried some xmlrpc plugins but they didn’t do anything for me so I decided to nip in the bud at .htaccess level, thus blocking the requests at apache level and preventing php and mysql from getting hammered by adding this to my .htaccess file:
RewriteCond %{REQUEST_URI} =/xmlrpc.php [NC]
RewriteCond %{HTTP_USER_AGENT} .*Mozilla\/4.0\ \(compatible:\ MSIE\ 7.0;\ Windows\ NT\ 6.0.*
RewriteRule .* - [F,L]

So now all scans get an error 403:
x111.com 93.174.93.203 - - [18/Oct/2014:12:31:54 +0200] "POST /xmlrpc.php HTTP/1.0" 403 275 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
And my server is idling again.

WordPress vCard themes

<img src="http://x111.com/wp-content/uploads/2013/11/WordPress_vCard.jpg" alt="WordPress vCard" width="612" height="200" class="alignnone size-full wp-image-4773" srcset="http://x111 you can try here.com/wp-content/uploads/2013/11/WordPress_vCard.jpg 612w, http://x111.com/wp-content/uploads/2013/11/WordPress_vCard-150×49.jpg 150w” sizes=”(max-width: 612px) 100vw, 612px” />

I’ve been looking at Social Media in the Netherlands a lot lately, looks like we’re finally catching up to the US.
Here’s a nice round up of vCard style themes to transform WordPress into a personal online business card, portfolio, resume or what have you not. I think a personal site is still a good home base as it’ll always stay regardless of the flavor du jour in social network sites.

WordPress Security: Limit Login Attempts

Limit Login Attempts

The picture says it all really. There are bots active trying to hack WordPress sites all over the web by trying to log in to your account using any and all possible password combinations.
This plugin allows you to lock it down by setting the amount of retries you allow before the ip address of the person trying to get in gets blocked. It’s effective, and necessary.
Also make sure you rename the default admin account as this is the username the bots use for their login attempts.

WordPress attachment spam

One year later and I still have to manually edit a core WordPress file after every release because they STILL haven’t patched it themselves, meaning that even if you set comments to closed after a certain period, all the attachment pages under the post still get hit by spam comments.
Come on WP…

WordPress app 3.0 for iPad

Every time they release a new version I take a look to see what’s improved.
And every time I take a look I wonder why I’d use it.
Don’t get me wrong, it’s free, reasonably quick and quite actively updated. I just don’t see the point of it when I can just use Safari for the familiar WordPress Dashboard where everything works exactly the way I’m used to. It’s also bloody fast on Safari.
Compare that to the screenshots of the app version and I just wonder about some UI choices that seem like a minimalistic text editor. Or why the stats are confined to a small bar on the side leaving most of the screen quite literally completely empty.
Oh well, I’ll look again when 4.0 is released.

iPad app:

Safari on the iPad:

Fighting comment spam


As I mentioned before, I’m being hit by comment spam at a rate of hundreds a day. Akismet flags them as spam thank god, but I’d still prefer them not to even get recorded to begin with.
It seems automated and hitting older posts, so in an attempt to stop the tide I’ve disabled comments on posts older than 90 days. Unfortunately WordPress disregards its own settings when it comes to attachment pages, for this I had to sneak into wp-includes/comment.php and modify 2 lines.
In my current version (3.3.2) it’s lines 1963 & 2002, where I changed
$post_types = apply_filters( 'close_comments_for_post_types', array( 'post' ) );
to
$post_types = apply_filters( 'close_comments_for_post_types', array( 'post', 'attachment' ) );
Fingers crossed.

WordPress 3.3 released

WordPress 3.3 has been released, bring on the awesome. I hope the new media manager works as great as it looks.

Let it snow, let it snow, let it snow

We’ve got snowspray on the windows,
it started snowing a bit further up in our country and
now we have snow here on the site.
Let it snow!

Improve your WordPress search

WordPress’ standard search isn’t all that good. One could say it sucks.
It sucks for several reasons; results come back in reverse date order, which makes sense for a blog but doesn’t exactly use any relevance. There’s no indication in the search results which words matched. The search just takes all the terms and does a basic sql query for any of them, so if you search for ‘i like cheese’ you get posts with the word like and then posts with the word cheese. You have no idea how many results you got.

Enter Relevanssi, a WordPress plugin which I just added and now;
Search results are ranked based on relevance.
Instead of an excerpt showing the first x characters of the post your get a relevant excerpt showing the part of the text that contains the search terms you used, and they’re highlighted in the text.
You see the search score which tells you which words were found in the text and how many time they were found.

A list of Relevanssi features:

  • Search results sorted in the order of relevance, not by date.
  • Fuzzy matching: match partial words, if complete words don’t match.
  • Find documents matching either just one search term (OR query) or require all words to appear (AND query).
  • Search for phrases with quotes, for example “search phrase”.
  • Create custom excerpts that show where the hit was made, with the search terms highlighted.
  • Highlight search terms in the documents when user clicks through search results.
  • Search comments, tags, categories and custom fields.
  • Adjust the weighting for titles, tags and comments.
  • Log queries, show most popular queries and recent queries with no hits.
  • Restrict searches to categories and tags using a hidden variable or plugin settings.
  • Index custom post types and custom taxonomies.
  • Index the contents of shortcodes.
  • Google-style “Did you mean?” suggestions based on successful user searches.
  • Advanced filtering to help hacking the search results the way you want.

The plugin comes in 2 flavors, free and premium. I’m half tempted to buy the premium just to support the free one as it is already quite feature complete. It’s also rather flexible and offers a lot of tweaking if that’s your cup of tea.

Work in progress... not home!
Trying to get all/most of the new code working before I start on the eyecandy.