goawayxmlrpc.php

Found a plugin that might be useful for people needing to block xml-rpc.php pingbacks. It disables to methods in the xmlrpc api that allow attackers to send pingback data to your WordPress site. I am currently seeing a flood of pingback spam, which is being written into wpdb. I really don’t care for pingbacks especially when this vulnerability is being used as a denial of service.

Read More

WP Multisite: Images not displaying?

Last night I began investigating this strange issue. Images on the network either worked, or they were borked. Looking at APC and Varnish behaviors and configuration and found no evidence of an issue with caching. With that ruled out, I began looking at other causes of the issue. WordPress 3.2.4 recently released this month, I was thinking it could have been related to core changes in how uploads and the media library handled blogs.dir. After ruling out server side and client side cache, I began to tinker around to see what was working and what wasn’t.

The first thing is images /wp-content/blogs.dir/[id]/files/image.jpg not displaying properly.

On mapped domains most images display the src attribute with http://domain.com/wp-content/blogs.dir/3/files/2012/03/image.jpg – 404 error (for whatever reason these images are now not showing up.)

However, if I change the URL to:
http://domain.com/files/2012/03/image.jpg
The image will appear. Is this something recent in 3.4.2? Am I going to have to go through and fix all these img src attributes?

I double checked the .htaccess, below is the standard WP .htaccess I have. Note, excluded is mod_expires block of code.

--------------
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]

# uploaded files
RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule . index.php [L]
# END WordPress
--------------

Nothing out of the ordinary in here, however I did find an interesting .htaccess file in the blogs.dir directory, which contained the following code:

-----------------
Order deny,allow
Deny from all
<Files ~ "^[0-9A-Za-z]+.(jpeg|gif|png)$">
Allow from all
</Files>
-----------------

The issue is the regex. It only allows 0-1, A-Z, a-z, and does not include dashes and underscores. The appropriate .htaccess file should read as:

-----------------
Order deny,allow
Deny from all
<Files ~ "^[0-9a-zA-Z.-_]+.(jpg|jpeg|gif|png)$">
Allow from all
</Files>
-----------------

Example; if using the first .htaccess, logo-300×300.jpg would be denied, however if you use the second .htaccess example logo.jpg would work fine.

The new .htaccess file in /blogs.dir/ may have been written by core for security purposes. This piece of code restricts access to any file types that are not defined in the regular expression. It’s a good way to thwart any hacker that may have obtained a user login and is attempting to upload and execute malicious code via Media Library.

[my original thread on wordpress.org as I scratched my head]

Read More