Stop brute force attacks on WordPress

Posted on 2017-02-17

If there is “Error connecting to database” error, and the access.log file is huge (several GB), and there are many “POST /xmlrpc.php” or “POST /wp-login.php” in it, it’s brute force attack.

How to stop it?

I. Use password to protect wp-login.php

1. Generate file ./htpasswd, e.g. use http://www.htaccesstools.com/htpasswd-generator/, put it in folder (e.g. /var/www)
Note: could use the following command to generate random password first

openssl rand -base64 6

2. Add the following code in .htaccess under where the wp-login.php is (usually the root folder of WordPress installation)

# Stop Apache from serving .ht* files
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

# Protect wp-login
<Files wp-login.php>
AuthUserFile [ABSOLUTE PATH]/.htpasswd
AuthName "Private access"
AuthType Basic
require user USERNAME-SET-IN-HTPASSWD
</Files>

Reference: Brute Force Attacks on WordPress.org

II. Stop access to xmlrpc.php

If xmlrpc is not used, just block access to it. In .htaccess file, add

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Orfox enable screenshots

Posted on 2017-01-28

writer

Comment out the following statement in GeckoApp.java (or just search FLAG_SECURE in source code):

getWindow().addFlags(WindowManager.LayoutParams.FLAG_SECURE);

Then rebuild (see: Build Orfox from source code)

Build Orfox from source code

Posted on 2017-01-28

writer

The following steps work on Ubuntu 16.04.

1. Get source from https://github.com/guardianproject/Orfox.git

2. Install Android SDK 23, SDK Build-tools 23.0.1, Android Support Repository

3. Export ANDROID_HOME, ANDROID_NDK_HOME

4. In root folder, execute (note: if need to build modified code, first comment out the git part)

./make_build_release

5. If error “Could not find autoconf 2.13”, install autoconf-2.13 from source. e.g. on Ubuntu 16.04:

wget http://ftp.gnu.org/gnu/autoconf/autoconf-2.13.tar.gz
tar -xvzf autoconf-2.13.tar.gz
cd autoconf-2.13/
./configure --program-suffix=2.13
make
sudo make install'

6. If error “ccache not found”,

apt-get install ccache

Root Google Pixel

Posted on 2017-01-25

writer

Note: FIRST read this thread on XDA to determine which boot-to-root to download. As of today (2017-01-24), I used v2.78 SR3 for non-TWRP.

1. In Developer options, enable OEM unlocking

2. Unlock bootloader (this only works on Pixel directly bought from Google, not carrier versions):
(a) boot into bootloader mode:

adb reboot bootloader

(b)

fastboot flashing unlock

then confirm on phone

3. Download boot-to-root image from Chainfire (read this thread on XDA to determine the download version), then

fastboot boot boot-to-root.img

Note: after root, if Pixel is stuck in the booting process (e.g. because wrong version of boot-to-root.img is used), flash the factory boot.img from Google (fastboot flash boot boot.img), normal reboot, and repeat Step 3 above.

Build Orbot from source code

Posted on 2017-01-24

writer

1. https://git.torproject.org/orbot.git
(In Eclipse, Import Projects from Git -> select “Clone submodules” -> Import as general project)

2. Install automake, libtool

3. Export ANDOIR_NDK_HOME and ANDROID_HOME, then

export PATH=$ANDROID_HOME/tools:$PATH

4. In Android SDK manager, install SDK Platform API 23 Rev.3, and Extras -> Android Support Repository

5. In orbotservices/src/main, run

ndk-build

Otherwise there is error: “orbotservices/src/main/libs/armeabi/pdnsd” not found

6. In Orbot root directory, run

make -C external

7. Verify tor and polipo binaries

file external/bin/tor external/bin/polipo

8. In Orbot root diretory, build a debug APK (assuming target is Android 6.0)

android update project --name Orbot --target android-23 --path .
./gradlew assembleDebug

the APK is in app/build/outputs/apk/

Useful Android apps for power-related measurement

Posted on 2017-01-18

writer

1. Keep screen from dimming: Stay Alive!
2. Sync system time with NTP: ClockSync

Disable directory browsing in Apache using .htaccess

Posted on 2017-01-12

writer

If disable file visiting, in .htaccess

Options All -Indexes

If allow file visiting, create file index.php

 <?php header('Location: /index.php'); exit(); ?>

(optional)in .htaccess

DirectoryIndex index.php

MySQL remote access with PHP and UFW

Posted on 2017-01-09

writer

Key points.
1. UFW allow specific IPs:

ufw allow from 123.456.789.0/24 to any port 3306

2. MySQL add remote users (e.g. only allow INSERT):

GRANT INSERT ON DB_NAME.TABLE_NAME TO 'REMOTE_USER_NAME'@'%' IDENTIFIED BY 'REMOTE_PASSWORD' WITH GRANT OPTION;
FLUSH PRIVILEGES;

3. In PHP, use quotes around variable names;

$sql = "INSERT INTO TABLE_NAME (FIELD1, FIELD2) VALUES ('$VAR_1', '$VAR_2')"

Continue reading →

Remove fields from text files

Posted on 2017-01-07

writer

Assume each line has 51 fields, the delimiter is “,”, and we want to remove fields 31 to 50,

cut -d, -f1-30,51- input_file > output_file

Some other file operations:
1. Get the last N lines from a file:

tail -n N INPUT_FILE > OUTPUT_FILE

2. Cat two files together

cat FILE1 FILE2 >> FILE3

3. Combine the columns from two files:

paste -d , FILE1 FILE2 > FILE3

Backup and restore wordpress database

Posted on 2017-01-03

writer

Backup:

mysqldump --add-drop-table -h localhost -u root -p database_name > backup_filename.bak.sql

To restore, first create database database_name in MySQL, then

mysql -h localhost -u root -p database_name < backup_filename.bak.sql

WriteBuffer

Category: Tech

Stop brute force attacks on WordPress

Orfox enable screenshots

Build Orfox from source code

Root Google Pixel

Build Orbot from source code

Useful Android apps for power-related measurement

Disable directory browsing in Apache using .htaccess

MySQL remote access with PHP and UFW

Remove fields from text files

Backup and restore wordpress database