Tag Archives: Wordpress

Top comment spammers for WordPress

Looking through the sources for WordPress SPAM comments, some IPs came back a lot. This post explains how to list your top comment spammers for WordPress.
Not sure if my eyes were fooling me I quickly dived into the database to query the comments tables. Note that I have about 10000 comments currently in that table.

mysql> select count(comment_author_IP) as c,comment_author_IP from wp_comments group by comment_author_IP order by c desc limit 15;
+-----+-------------------+
| c   | comment_author_IP |
+-----+-------------------+
| 479 | 199.15.233.147    |
| 434 | 199.15.233.148    |
| 401 | 199.15.233.144    |
| 385 | 199.15.233.153    |
| 385 | 199.15.232.42     |
| 379 | 199.15.233.145    |
| 378 | 199.15.233.133    |
| 377 | 199.15.233.146    |
| 377 | 199.15.233.143    |
| 374 | 199.15.233.157    |
| 262 | 199.15.233.158    |
| 236 | 142.54.184.181    |
| 138 | 195.211.155.183   |
|  79 | 140.237.12.45     |
|  70 | 110.89.40.214     |
+-----+-------------------+
15 rows in set (0.03 sec)

mysql> 

This result clearly shows that blocking subnet 199.15.232.0/23 on my firewall certainly wouldn’t hurt. It will also take away a lot of stress on the akismet service which is being used by my WordPress configuration.

WordPress behind forward proxy

How to configure WordPress behind forward proxy. The tutorial explains why and how to configure your WordPress installation to make outbound connections via a forwarding proxy.

Why?

Most WordPress installations are allowed to make direct outbound connections. Outbound connections are needed to fetch updates or to connect to various services like the WordPress.com Jetpack or Google Analytics.

However, allowing all sorts of outbound connections means that you don’t know what URL’s are being accessed. After infection it is possible that your installation connects back to Command & Control servers. This is something that I don’t want and it’s the main reason why I want to keep visibility and control on every outbound connection made from my WordPress installation.

How?

You start by adding the following lines to your wp-config.php

define('WP_PROXY_HOST', '192.168.84.101');
define('WP_PROXY_PORT', '8080');

This is the bare minimum. If you have to authenticate against the proxy or want to exclude certain domains, these options can be used as well.

WP_PROXY_HOST - Enable proxy support and host for connecting.</li>
WP_PROXY_PORT - Proxy port for connection. No default, must be defined.</li>
WP_PROXY_USERNAME - Proxy username, if it requires authentication.</li>
WP_PROXY_PASSWORD - Proxy password, if it requires authentication.</li>
WP_PROXY_BYPASS_HOSTS - Will prevent the hosts in this list from going through the proxy. You do not need to have localhost and the blog host in this list, because they will not be passed through the proxy. The list should be presented in a comma separated list, wildcards using are supported, eg. *.wordpress.org,

After saving the file, your outbound connections should be going via your proxy. Now it’s best to check your proxy logs. My installation was missing curl for php. This caused https lookups to fail. It’s clearly visible in the logs because the WordPress installation tries to do a POST for HTTPS websites. The result is a error 501 from the proxy server. Squid is being used in this case.

1421584726.310      0 172.16.x.y NONE/501 3680 POST https://accounts.google.com/o/oauth2/token - HIER_NONE/- text/html

This can be fixed by installing cURL for php. On Ubuntu, this can be done by installing the package php5-curl.

apt-get install php5-curl

This will automatically reconfigure and restart your apacha/php. Checking your proxy logs will show this.

1421740626.118    105 172.16.x.y TCP_MISS/200 4313 CONNECT accounts.google.com:443 - HIER_DIRECT/74.125.136.84 -

Perfectly valid again and your WordPress installation is good to go for both http and https.