Tag Archives: Security

A Word on WordPress Spam.

A couple weeks ago Brian and Novak mentioned they seemed to see more spam after the upgrade to WordPress MU 2.8.4 interesting I thought so I checked my blog the main blog which had virtually no spam, looking at their blogs they had quite a bit of spam but Akismet was catching 95% of it so I though no big deal, I also chalked it up to the fact people read their blogs and in the case of Brian’s alot of people read his blog (still not the most popular on blog on blogs.ubc.ca which receives virtually no spam odd but not that odd). The last three days things changed and it was basically out of control, the two blogs combined were receiving over 4000 spam messages a day, most were being caught by Akismet but many were getting through. I checked the other top 10 blogs and they had nothing in comparison. I was starting to get paranoid if this happened to other blogs on our site this would for sure end up being a DoS.

On further investigation, looking at Novak’s blog he had reCapthca off for some reason (not so Super Novak)… after he turned it on spam went down a little but it was still up big time. Next step was looking at the server logs at first I thought we could use some .htaccess trickery to block the bots from hitting the wp-comments-post.php

RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*blogs.ubc.ca.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

But the bot was smart enough to send proper referrals so this would not work. What to do next? I started grepping through the server logs to see what the bots were hitting on their blogs both were being hit by old posts (although both do not post that often so almost everything is old) but I mean old like over 3 months old. Both had a lot of spam being directed at post on a “Forum like display plugin” post as well as a couple others. So on both blogs I set turn off comments after 90 days (Novak) and 120 days (Brian) and I disabled trackbacks. This pretty much had an immediate impact spam was virtually stopped on both blogs. In conclusion this is a temporary fix I recommend everyone having spam issues right now should do this (I always recommend disabling trackbacks).

This definitely is a bigger issue if bots can spam and bypass both reCaptcha and Akismet (in some cases) WordPress has a fairly serious security issue hopefully WordPress addresses this soon.

IPREDator: Being anonymous is going to be alot easier.

Looks like the genius minds behind the Pirate Bay did what they said they were going to do IPREDator new virtual private networking service (VPN) will be launching soon. Wise downloaders could always set up this type of service in the past but this will make it even easier for the non-technical users. This is going to but a major damper in any attempts by the RIAA and MPAA to stop illegal downloading. Downside can obviously be used for criminal activity.

source: Read Write Web

*Pirate Bay boys are now going to prison they are going to need the cash from IPREDator.

The Importance of SSL on a Campus Blogs Setup

I recently had a comment by a co-worker asking why we had to have SSL on our admin/dashboard pages. This is a good question it can slow down things when SSL is enabled on the WordPress Dashboard (although I do not notice any significant change) but I argue that this slight hit to performance GREATLY out weighs the potential cost of not implementing this, the reason being Blogjacking. For the hacker types out there the next time you are sitting on your cafe network have some fun load up the Wireshark and login to your Blog without SSL you will be in for a surprise. Imagine if a disgruntled student decided to jack a prof’s blog? I am pretty sure our project would be shutdown pretty quickly as would other Campus Blogging Platforms. Securing web apps is always a battle, this is one fix you would have to be insane not to implement.

Check out this great video by WordPress on the importance of SSL in the Dashboard.

*UBC Bloggers take note we use HTTPS by default.