On WordPress GET floods, plugin fingerprinting & keeping safe

flood sign, by alan in belfast from flickr under ccInfosec consultant and blogger Xavier Mertens suffered from a GET flood last week. The would-be DDOS originated from WordPress blogs that seemed non-related both geographically and content-wise, were using different versions of WordPress and seemed not to be compromised.
So what gives? WordPress blogs autonomously trying to DDOS other WordPress blogs? My best guess; a WordPress plugin gone rogue. The great WordPress HTTP API makes It easy enough to create a plugin that fetches targets from a control server and issues requests to those targets at a given time. It’s only a matter of hiding that behavior inside a plugin that seems useful and getting people to install that. The easiest way; finding an older plugin with an existing userbase and taking over development from the original developer (as i did with Autoptimize) is the easiest route to create your own little DDOS-ing botnet.

But all of this is pure speculation (although the UA matches the one used by WordPress HTTP API) off course. The only way to know for sure is to, for at least a sample of the flooding blogs, check what plugins they have in common. Doing so is frightfully easy using the NMAP HTTP WordPress Pugins script and if I am not mistaking Xavier is indeed looking into this.

But given the ease with which the NMAP-script can scan for WordPress plugins (there are similar scripts for e.g. Drupal modules), you might want to stop this from happening? I for one added this line in my WordPress .htaccess:

RedirectMatch 404 ^/wp-content/plugins/[^\/]*/$

Maybe you would even want to return a 404 for plugin readme.txt and index.html files as well, but I’ll consider that an assignment for you guys to chew over 😉

Stopping WordPress media attachments comment spam

I just had my monthly look at the comments spam queue and was baffled by the amount of spam-comments on WordPress attachments. WordPress, surprisingly, has no option to disable comments on media, so based on information in this codex page about the comments_open function, I quickly assembled a plugin to stop comments on items in the media gallery altogether. The code (which can also be added in functions.php instead of going into a plugin):

<?php
/*
Plugin Name: No Media Comments
Author: Frank Goossens (futtta)
Plugin URI: http://blog.futtta.be/
Author URI: http://blog.futtta.be/
Description: Stop comments on media attachments
Version: 0.1
*/
add_filter( 'comments_open', 'noMediaComments', 10, 2 );
function noMediaComments( $open, $post_id ) {
$post = get_post( $post_id );
if ( 'attachment' == $post->post_type )
$open = false;
return $open;
}
?>

After throwing that at my server and seeing it worked, I realized there had to be a plugin for this and I indeed found Disable Comments and Comment Control in the wordpress.org plugin repository. Both plugins are by the same author and are only slightly different in scope really. So if you want to stop the comment spam on attached images on your WordPress blog, you’ve got several options. But shouldn’t this be tackled in WordPress core instead, really?

100000 WP YouTube Lyte downloads and beyond

Feeling proud: WP YouTube Lyte got downloaded for the 100000th time today around 16h30;

In the meantime I started work on version 1.2.0, the main new feature being support for responsive design. It will probably be released in the 2nd half of July, unless you want to beta-test that is.
Anyway, thanks for all the downloads, here’s some Underworld (“Glam Bucket”) to chill out to on this lazy Sunday evening:

Underworld Glam Bucket