XML-RPC is a WordPress API that allows WordPress site-owners functionality, while on-the-go. But how does it affect WordPress sites’ security?
What is XML-RPC, and why is it such a big deal?
The ‘XML-RPC’ is an API that enables developers create WordPress ‘apps’ (like clients, plugins and themes), that allow you to make remote HTTP requests to your WordPress site.
This means, as a WordPress site owner, if you used a plugin or client that had WordPress XML-RPC support, you would be able to perform a number of functions without actually logging in to your WordPress site.
Some of the functions you would be able to perform on your site with these plugins or clients would include:
Post-related functions like creation, publication, edition and deletion
Media-related functions that include uploading files, and viewing the media library
User-related functions, such as editing your profile, getting a list of authors for a post, etc.
Comment-related functions such as listing comments, and editing them
There are a number of Weblog Clients and WordPress plugins that allow you to do this. Some of the popular ones include the Jetpack plugin for WordPress.org, clients like rubypress, and WordPress Sharp; and even WordPress’ own app for both Android and iOS. Since all of these functionalities make life easier, WordPress has had XML-RPC enabled by default, since WordPress 3.5. (WordPress’ latest update was WordPress 4.6, so it’s been a while). Obviously these tools would still need you to input your WordPress admin username and password for them to work, so they seem safe.
How does it pose a security risk?
However, anyone can use the XML-RPC API to make these requests. Using the API, a script can make multiple requests simultaneously to your site. This makes it a convenient choice for attackers who would want to launch a attacks against your site.
One application for this functionality, would be to try with different combinations of usernames and passwords while having substantially lower chances of getting detected. This makes XML-RPC an ideal approach for Brute Force attacks.
Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. Often deemed ‘inelegant’, they can be very successful when people use passwords like ‘123456’ and usernames like ‘admin.’
Even if you have passwords consisting of a minimum of 10-15 alphanumeric characters and special characters, there is one more threat – DDoS.
DDoS is a type of Denial Of Service (DOS) attack where many infected websites or systems are used to attack a single website and bring it down, by overwhelming the target website with requests. This results in the website’s server denying service, as a result of shutting down (… hence the term).
Actually, in March 2014, a number of WordPress sites experienced an attack involving ‘pingback’. Pingback, is an XML-RPC functionality (especially on WordPress), that allows you to see where links to your WordPress posts are used. This is done by the sites with shared links pinging the source of the link. The source site then replies (or pings them back) with the live link (so that if the post is taken down, it would show you a ‘404 error’, or if it’s been updated, the newer version of the post would be displayed). So when attackers used XML-RPC requests to perform the DDoS attack in 2014, they exploited the pingback functionality, and used thousands of other sites to ping victim sites. Once all the thousand sites starts pinging the victim site simultaneously, the server ran out of resources and the site went down.
Do you have to disable XML-RPC?
Well, it depends. WordPress identified the XML-RPC API abuse, and has made its laws stricter. Plugins like Akismet that help detect spam, have also gotten better at detecting attacks like the one involving pingback. But the bottom line is that there is no way to make your WordPress site 100% attack-proof.
So yes, an easy way to make your site safer, would be to disable the XML-RPC API. For this, one can use security plugins, such as iThemes Security (formerly Better WP Security), or NinjaFirewall.
However, before making this choice,it is very important to understand that turning this API off can affect the functionality of some plugins and apps that you might be using in conjunction with WordPress. This will disable the WordPress mobile app and severely affect the functionality of plugins like Jetpack, from accessing your site.
This is why it’s always important to have several backups of your WordPress site before you test the change to see if you’re okay with it. If you’d rather keep the functionality on, you can choose from a previous version of your site, and roll back changes to a fully-functional version of your site.
Making an integral change to your site is never easy, but it’s always better when you have all the facts. Which choice have you gone with, on your WordPress site? Let us know in the comments!
At BlogVault, we recently spoke to Rahul Bansal, founder of rtCamp; Asia’s first WordPress.com VIP partner agency. He shares his convictions, struggles, the formation of rtCamp, the growth story that eventually led to this watershed achievement, and his thoughts on ethics & business practices.
India is waking up to the presence of WordPress in the digital landscape now. On the cusp of this realization, rtCamp has emerged to become the very first WordPress.com VIP Partner in Asia. It is a prestigious featured partner program that has till now picked only 12 agencies; including rtCamp, as partners worldwide.
To those in the Indian WordPress community this achievement is definitely a breath of fresh air, considering the unwanted reputation agencies from South Asia carry in global WordPress(WP) market.
As part of the same WP community, and as global leaders in backups & security, we at BlogVault wanted to record this achievement. The premier WordPress agency on the continent has definitely crossed a threshold and its founder joined us recently to trace his journey.
Rahul Bansal answers questions on his convictions, struggles, the formation of rtCamp, and the growth story that eventually led to this watershed achievement.
A Decade Ago: Building up Skills
Rahul’s journey started almost accidentally as he took up blogging during his engineering days, purely to follow a friend he looked up to. The rampant focus on remuneration packages instead of work profiles pushed him away from conventional job interviews during campus placement.
“I didn’t want to join any company; hence I took up M. Tech. It was essentially an escape”, says Bansal. Rahul says that he got more free time during his M. Tech. He began to enjoy blogging; and the journey took an interesting turn as he discovered Google AdSense.
The revenues from AdSense were sufficient to convince Rahul that he could take up blogging professionally. It was this decision that would eventually take him away from blogging and towards developing on WordPress. But, more on that in a bit.
The Family Front: A Quintessentially Indian Story
Rahul was thinking of becoming a professional blogger in the India of 2006. That too, after his engineering. It is not an easy switch to sell to our parents even now, so it could not have been easy then!
Rahul admits this to be a tough period in his life. However, he found an interesting analogy to help him. “…I used to explain my profession to my folks, especially the older ones, with the analogy of a news agency. [the conversation would go something like this]”
“Do you read a newspaper?”
“How much does a newspaper cost?”
“1 or 2 rupees!”
“Is that enough to run a news agency?”
No! They make money from ads”
“I do the same thing. I run a newspaper online and make my money from ads.”
For the most part, that was that, and Rahul was a professional blogger. He suspects that the point that eventually convinced his parents was that he was no longer taking money from them.
The decision to turn a professional blogger also meant that he had to prepare to do the job well. As part of this project, blogger Rahul turned to WordPress to customize his site and gain more control over his content and its presentation. This turn, which came out of a necessity, would lead him to be fascinated with WordPress, the CMS’ ease of use, and the many possibilities the platform presented. All of these factors planted the seed of freelancing as a WordPress web developer in his mind; although he wouldn’t give up blogging straight away (after all it was a steady source of income and his blog was growing in popularity).
The Freelance Route to the rtCamp Journey
Perhaps one could read into Rahul’s approach to freelancing, and see the success to come. He says, “I was already making money from the blog. It was because I wanted learn many things on WordPress that I began freelancing.” So, he says that he made a list of things he wanted to learn in WP and went after projects with “realistic challenges”, “realistic deadlines”, and “realistic value” that would help him learn those skills.
The blogging trails paid rich dividends during his freelancing days too. There cannot be a better example for how popular his blog- Devil’s Workshop, was at the time, and for how having rich content can help any business more than the following story. Rahul recollects that he was once awarded a project before the details were finalized. He was surprised and inquired the client. He says, “The client only said that You are running such a successful blog, you must be doing something right!” Rahul says, “On the internet, it is your skills, not your academics that speak for you. That is how the internet works.”
The blogging trail combined with his desire to learn and grow continuously meant that Rahul built a successful client base as a freelancer. His list included clients from around the world. Although, he is quick to point out that this diverse client base wasn’t planned; instead he says “I just went after projects and opportunities [which interested me].”
This approach proved to be financially successful as well. Rahul remembers how almost all of his clients wanted to work with him again after the first projects were completed. This ensured that the workload burgeoned to the point that he couldn’t handle it alone.
Rahul’s growth in his individual professional life coincided with the 2008 global recession. During this period many of his friends could no longer depend on the giants of the IT industry to guarantee them a job. He pitched the work he was doing to them and when some of them showed interest, he trained them. The burden of his workload decreased and the business expanded. This expansion would eventually be titled rtCamp but that was still a few months away.
So far Rahul’s decisions don’t seem obvious to anyone. Turning away from a career after engineering. Convincing his parents about becoming a professional blogger; and taking up freelancing projects as a web developer to learn a CMS that; in 2006-2008 India, was not nearly as popular as it is now.
Another one of such decisions was that, very early on, he decided that he would work solely on WP. This decision too was born out of his conviction, “I believe we should only develop on software we use.” “To date, even out of curiosity, I haven’t installed Joomla or Drupal” explains Rahul. Hence he was a WordPress freelancer much before the marketplace emerged for the title in the country. Following his convictions, as Rahul himself states was a “good decision [looking back].”
rtCamp: The Core Values
The more we spoke the more we realised that Rahul’s freelancing days would come to shape his own values and lay the groundwork for the path rtCamp would take. During his period as a freelancer, Rahul was not only fascinated with acquiring skills but was interested by the open-source platform; and the community that came with it.
In that period he participated in many meetups. The “un-conference” culture of the WordPress community and the open-source movement charmed him. Going along with this, he wanted a work environment where “everyone respects everyone”. The value he derived from camps, and his “hunger for equality”; as Rahul puts it, eventually led to ‘rtCamp’.
rt stands for roundtable, a reference to the famous roundtable of the noble knights in the Arthurian legend. The ‘Camp’ part comes from the desire to replicate the community driven culture around Bar/Word/php camps which Rahul used to attend- an environment where everyone participates, speaks up and takes ownership. It was an idea he had come to cherish. “I liked the unconference culture and wanted the same in my organization. I believe everybody must speak and express themselves rather than simply taking orders.” says Rahul.
So it is not a hyperbole or an act of taking credit in hindsight when he says, “Looking back you can always connect dots. Our core values have made us the kind of company we are today. One who loves WordPress, open-source, and contributes to the community”
He says we always encourage all ‘rtCampers’ (as the people who work at the agency are called), to participate in the community, whether it is by attending WP meetups, WordCamps or by other means.
On Landing Big Clients: The Case of Geometric
The points about the “un-conference” culture, and the encouragement for people to take ownership, shine through when you ask Rahul about how rtCamp landed its first big client- Geometric Global.
He began his response to us by crediting rtCamp’s then Head of Marketing, Gajanan Sapate.
Sapate suggested building rtCamp’s presence on LinkedIn as a WordPress Agency. Although Rahul wasn’t keen on the idea Sapate went ahead without his approval, Rahul recollects. “That is what the round table culture is all about,” he says proudly.
Around the time, Geometric Global were on the lookout for a WP agency. They are an MNC and as Rahul pointed out they have offices around the world. The website part of the business however was managed out of Hinjewadi near Pune. They wanted a local vendor to build their site on WP. Decisive on these two points- location of the vendor & the CMS, they went looking for a WP agency on LinkedIn.
This was around 2011-12 and Rahul suspects that Geometric Global’s search for a WP agency on LinkedIn resulted in only rtCamp’s name popping up as there were no other WP agencies at the time. Sapate’s initiative had paid off and only time would reveal how handsomely it had paid off.
For what seemed like a pleasantly fated start, the relationship between Geometric Global and rtCamp was anything but that. rtCamp at the time was a small agency. Despite its size, some members of Geometric Global were keen on working with them. The reason for this was once again; among other points, the Blog- Devil’s Workshop. Rahul remembers that some members of Geometric Global were already familiar with his blog when they approached rtCamp. Apart from this, rtCamp’s plugins on WordPress.org, open-source projects, and participation in and contribution to the WP community were all reasons in their favour.
Even today, Rahul suggests that younger agencies looking to build a reputation with WP must show their love for the CMS by making contributions to the community. This is not simply a pedantic statement. In fact, WordPress.com announced rtCamp as a VIP partner with an article, where rtCamp’s “record of community engagement” was specially mentioned as the reason for extending them VIP partnership.
While the above points were in favour of rtCamp, some other points were not. For starters they were not used to a seemingly long sales cycle of around 6 months. During that phase, Rahul recalls that most, if not all of rtCamps’ sales cycle lasted a maximum period of 2 weeks. This shift proved to be quite frustrating as Rahul mentions. Along with this, rtCamp was also not familiar with many processes that were required by enterprise level clients. They failed many checks like access control (magnetic strip cards) among others.
This meant that, while rtCamp was optimally placed to deliver a project which was based on WordPress for Geometric Global, they were not aware of many requirements and practices of enterprise clients. Both parties, Rahul admits, acknowledged these points. Rahul remembers being upfront in his approach when it came to selling to his first big client, and they eventually landed the project.
Even after this however, the demands of servicing an enterprise client was taking its toll on a small but growing agency. One of the reasons for this was that rtCamp billed Geometric Global like all other of their other clients. This was unsustainable as Rahul himself admits. Geometric Global’s value at the time was greater than the combined value of all their other clients. The demands were also greater to go along with this.
All these struggles meant that Rahul was unconvinced with the idea of taking on enterprise clients. He says that for about two years after signing Geometric Global he did not try to sign any other enterprise clients. During this 2 year period however, their relationship with Geometric Global evolved and stabilized. It wasn’t easy as Rahul recollects, “Even after [we signed them] there was steep learning curve.” Geometric Global’s willingness to work with rtCamp and train them on certain issues sustained the work Rahul recollects. In fact, the suggestion to increase the price too came from Geometric Global Rahul mentions. This maturing relationship eventually convinced Rahul that enterprise level clients were the way forward for rtCamp. It seems that rtCamp hasn’t looked back since.
Mission “WordPress.com VIP Partner”: A New Year’s Resolution
There is a diffident smile on Rahul’s face when he mentions that at an rtCamp New Year’s party he announced that the agency would become a WordPress.com VIP Partner. While he admits that he didn’t have very specific roadmap in mind then, he planned for it every day for the last 18 months.
Part of the plan was to deliver VIP grade code to their clients before they had contact with WordPress.com. Rahul surmises, “Most people change when there is a need to [do so]. We started coding at VIP standards when our clients were not asking for it.”
Such preparation has paid off very well. Rahul says that when they got their first VIP project from WordPress.com, “The code was approved in the very first round!”
However, if you ask Rahul why he aimed to become a VIP partner, then the story takes a more poignant turn. He had noticed how clients abroad would switch off when they knew an agency was from South Asia. Rahul recognised that it would be hard for everyone to go through rtCamp’s work. Having a symbol of quality would bypass some of these issues he though, and becoming the first VIP partner in Asia seemed like the solution.
Unique Growth Story of an Indian Agency: Way forward for Indian WP communities
The challenges were many and in that context the growth of rtCamp is surely a unique story. This is so, not just because of it has done but also because of how the agency has done it. It is one thing to come up with a name or a set of values, and another to thing to stand by and act according those convictions when you know they aren’t going to work in your favor. This is what Rahul has done.
He recollects a time when a Project Manager at rtCamp made an error in scoping the document. This led to a verbal commitment to deliver the project on a deadline. When the D-day neared, the error surfaced. Rahul recollects how he not only admitted the error straightaway to the client but resolved to work for the remaining duration of the project for free. “If we made a mistake, then we should pay for it. Why should the client suffer?”, Rahul asserts.
Although the client was very pleased with the results when the project was eventually completed and offered to compensate rtCamp, Rahul says that he refused. He reasoned that they might forget the lessons they learned if they accepted payment.
These actions though exemplary, almost drove Rahul to bankruptcy. The client was one of their biggest at the time and working for them at no cost meant Rahul had to pay a heavy price. If not for a friend who loaned him some money, Rahul would not have been able to even pay the salaries. These decisions are only more admirable because of the accompanying circumstances. Just before the incident came to light Rahul had got married. A new phase of his personal life began with a crisis in his professional one. Although it looks like he took a big gamble; and he did, Rahul simply says, “It was about doing the right thing.”
It is this combination of technical expertise, professionalism and a high level of adherence to their core values and ethical business practices that sets the foundation of rtCamp’s success. It is also a good sign-post for younger WP agencies to begin charting their paths.
“Becoming a WordPress.com VIP partner is the start of something,” Rahul says. He is not about to rest on his laurels but, “… everything we do must be better now … and we’re working harder to get everything right.” Rahul says he feels more responsible now as there is a sense of representing the Indian WordPress community.
At BlogVault, we wish Rahul and rtCamp all the very best and we look forward to seeing the next big thing from them.
Themeco Hosting users can now enjoy the premium WordPress backup service from BlogVault. This partnership allows all users of Themeco Hosting to utilize BlogVault’s expertise, at no extra charge.
As advocates for best practices in WordPress backups and security, we are certainly proud of this partnership with Themeco Hosting which makes professional backups a part of the hosting service.
A Quick Intro to BlogVault
To all the new users, welcome!
Our service, stores up to 30 days of backups guaranteed. You can find all the versions listed in order with date, time and changes. So, when the time comes to restore or migrate your site, you can choose the desired version with ease.
The dashboard is designed to be pain-free and is a single-point access to all options related to backups, restores, and security settings; so that you can focus on creating and managing content in a dynamic & creative environment.
You can login to your BlogVault dashboard anytime to find all your files and tables, & find out which ones are excluded from backups. In the same list, you can also add any excluded site to backups or download any on or all of the files/tables.
To do this simply click on the files/tables and at the end of the list click ‘Add to backup’. On the other hand you can select the files/tables with same method and at the end of the list click on ‘Download’. You have complete access to and control over all your files and tables.
With that we welcome Themeco Hosting users to BlogVault and look forward to a fruitful partnership.
About BlogVault, & Themeco
BlogVault is a Bengaluru based, five-year old tech company developing premium backup & security solutions.
Themeco Hosting is brought to you by the same people behind the creative WordPress theme- X, and the versatile page builder Cornerstone.
Figuring out the best security option, (especially making the decision between a WordPress firewall and an antivirus) for your website requires a lot of research and technical know-how. But if you’ve decided on getting a WordPress firewall, NinjaFirewall is one of the options that you will have to consider.
This is why decided to test NinjaFirewall (v 3.2.4) for you, and to do it from a WordPress newbie’s point of view. We’ve pitted it against against the common exploits on WordPress sites to see if it stands our tests of fire. A Web Application Firewall (or a WAF) provides customizable inspection and runs as an appliance, plugin, or a cloud-based service.
Host-based firewalls on WordPress help protect against threats originating within the host (which, in this case, is your website). This means that they help reduce the risks of vulnerabilities in your website being exploited.
NinjaFirewall allows you to install and configure it just like a WordPress plugin, but it’s a ‘stand-alone’ plugin that intercepts all requests made to WordPress. The fact that it’s ‘stand-alone’ means it has its own settings, options, policies and rules that you can configure. If you’ve googled NinjaFirewall, you’d have seen phrases saying that the firewall ‘sits in front of WordPress’. This simply means that NinjaFirewall intercepts requests with the aim of alerting you of, and stopping any suspicious activity/requests before they affect your site.
There are also a few hiccups that you might face during installation, that the NinjaFirewall team has documentation for, which is great, if you aren’t a beginner with WordPress, and know the basics enough to understand code.
What NinjaFirewall Claims to Do for You
NinjaFirewall claims to intercept and determine which traffic to allow to your site. Upon installation, the firewall backs up your php.ini and .htaccess files and then modifies them to intercept every request made to your site. It then filters requests and traffic using extensive rules (and a whitelist), to separate good requests from malicious ones. The bad requests are dropped while normal requests are forwarded to your WordPress site. Its aim as a firewall, is to prevent your site from getting hacked, by avoiding bad requests from the get-go.
NinjaFirewall has a lot of features, that help towards this end, and many varied security functionalities to your site.
NinjaFirewall has a lot of features, that help towards this end, and many varied security functionalities to your site. Each feature of NinjaFirewall has different options and settings, and we hope to explain the most important ones below:
This is where you enable or disable NinjaFirewall. You can also customize the error messages to be displayed on your site when the firewall detects a bad request.
If you’ve got NinjaFirewall installed on another site and have configured it according to your needs, you can import it to a fresh installation in the Firewall Options section. The only requirement is that both sites should have the same versions of NinjaFirewall. Importing another configuration of NinjaFirewall will override any firewall-related rule, option or configuration that exists on the site you’re importing to.
Firewall Policies Most of the options that control how NinjaFirewall works, are in the “Firewall Policies” section. None of these options are customizable though: the majority of them are Yes/No options, or have check-boxes. The first few options let you decide whether you only want traffic with an SSL certificate or you’re okay with traffic that comes from other sources. Since a lot of hacks originate from file uploads, the firewall also allows you to choose whether you want to allow them or not. These first few options are easy enough to configure:But as you scroll down the list, they get more and more complex. Some options even caution the user to not click on them if the user doesn’t understand what they entail. NinjaFirewall has documentationto explain all of these options, but some of them might still need some technical knowledge. This is why we’re going to try and break it all down for you.The HTTP variable is what requests information from a web page. Scanning it for dangerous values is a great move, especially since hacks depend on GET, POST and REQUEST variables. Sanitizing these variables makes sure that the website interprets strings as such, and not as commands.
These options keep out suspicious bots from crawling your site:
The HTTP response headers help in protecting your site from other hacks that originate from the browser’s end.
There are also a few options that are unique to WordPress:
These help protect your site from SQL dumping ( i.e. creating a snapshot of and storing all of your website’s database files); as well as a number of shell scripts.When a hacker tries to attack your site, they make a number of attempts, and depend on error messages to determine whether their attack worked or not. NinjaFirewall has the following options to not let your site display revealing error messages:
And then there are other ‘various’ options that you can enable:
NinjaFirewall also has options that control the requests made to and the access to WordPress core files and directories:
This section is also where you can modify the firewall’s white-list:
File Check This feature helps create a ‘snapshot’ of files changed by comparing original files (or existing ones) against modifications. Once you create a snapshot (that you can later download or delete), it allows you to scan your site for file changes. You can not activate this scan before you create a snapshot.
Anti-Malware The NinjaFirewall also has an Anti-Malware feature, that allows you to scan for hacks. According to NinjaFirewall’s documentation, this feature doesn’t alert you of spammy links, (like those that might redirect your visitors to porn sites). However, it does alert you based on signatures of malware, that could damage your site. This isn’t a great way to go about scanning sites though, especially since hacks are complex.This is probably why this is the one feature on NinjaFirewall that allows you to add custom rules or signatures, for malware or suspicious activity.
NinjaFirewall has handy documentation for how to go about this. You will need to understand what to create signatures for, in order to make use of this feature.
The Anti-Malware feature poses a couple of issue though. More on them here.
The firewall logs any suspicious activity in the Firewall Log section, but you can set how often it alerts you, and what to alert you of:This way, if the Firewall blocks any attacks, you can see what happened, from the Firewall log. It’s always good to examine why/how it blocked the attack.
Brute Force Attacks are a different thing altogether- NinjaFirewall has a separate option to help protect against these attacks: Login Protection.The option asks for HTTP authentication credentials, without which you can’t enable this option. You can also set the message displayed when the firewall blocks such attacks.
Firewall Log It is what it sounds like: a log of everything NinjaFirewall found unusual, according to the rules you set in Firewall options. So if you’ve asked to be notified about any plugins updated, deleted or created, this log will contain all the details.
Live Log This feature monitors HTTP and HTTPS traffic on your site, so it aims at protecting against any traffic related attacks (like Brute Force, DDoS, or weird IPs trying to access your site.)
NinjaFirewall has a set of ‘rules’ according to which it operates.These rules are mostly signs, or signatures of attacks that it tries to prevent. According to NinjaFirewall’s documentation, the rules are downloaded from the WordPress.org repository, and the plugin doesn’t contact NinTech’s servers during the update process.
You can’t add your own rules, but you can modify them in the Firewall Policies section, if they’re greyed out in the drop-down.
This feature allows your installation of NinjaFirewall to be up to date. Setting the firewall up to check for security rules is a tradeoff between choosing your custom configuration, and keeping your site secure.
Of course, you could ask to be notified about the changes and then go back to fix the changes so they suit your requirement though.
What we tested it against
We ran a series of tests to evaluate first-hand, the efficiency of NinjaFirewall, against some of the common attacks WordPress sites face. For this, we created a test-site (which would be the stand-in for your website): 220.127.116.11/wordpressThe vulnerabilities we tested the firewall against were:
1. SQL Injection
The Firestorm real-estate plugin (actually v 2.03), is one that contained a vulnerability that allowed for SQL Injection. This plugin allows you to add real estate listings to your WordPress site.
Testing NinjaFirewall against SQL Injection
To exploit this vulnerability, we tried accessing entering SQL code into the Firestorm plugin to get data from wp_users. (For those of us who don’t know what wp_user actually does, it allows you to get data from, and modify both the roles and capabilities of WordPress users other than the admin.)
Here is the SQL code we used:
18.104.22.168/wordpress/wp-content/plugins/fs-real-estate-plugin/search.php?ProvinceID=35335 UNION SELECT 1, user_pass, 3, 4, 5, 6, 7, 8 from wp_users.
Because this version of the plugin in vulnerable, it will execute the code to try and select the user credentials from users 3, 4, 5, 6 and 7.
We used this in our browser’s address bar.
(Note: This is why for this attack and the couple others following, we’re going to ask you to look closely at the address bar.)
Running the test in the address bar
Once we entered the same code into the address bar of the browser, this is what showed up on the test site (look at the address bar carefully, please):
But how did things work out behind the scenes of the attack?
Firewall Log for SQL Injection
This is what NinjaFirewall’s Firewall Log had to show us:
Looks like the firewall had this exploit already in its list in the Rules Editor section, and hence it detected the exploit and prevented it from occurring too.
2. Arbitrary File Upload and Local File Inclusion (LFI)
There were a couple of vulnerable plugins that came to mind when we thought of Local File Inclusion. One was Slider Revolution (v 3.05), and the other was Gravity Forms (< v 1.8.19).
We chose Slider Revolution though, because it allowed to make both exploits, and because more than 100,000 sites were attacked in 2014 through this plugin.
Testing NinjaFirewall against Local File Inclusion
The Slider Revolution plugin was used to perform Local File Inclusion on vulnerable websites in the following manner:
Say the vulnerable site was called ‘victim.com’.
The vulnerability allowed attackers to request the RevSlider plugin on the vulnerable site to show the images in the slider. Once it did that, the attackers would also try to figure out the structure of the WordPress directory. They would then get it to include files on the website’s local server (like the wp_config files) to the files it revealed. So the final URL entered on the site would be something like:
We used a very similar approach to try and get the plugin to include the wp_config files of the website, and to reveal them.
Here is how NinjaFirewall reacted:
Running the test
Since the action got blocked, we just checked out the Firewall Log.
Firewall Log for Local File Inclusion
Testing NinjaFirewall against Arbitrary File Upload
Again, trying to get to two attacks with the same plugin, we tried uploading random (or arbitrary) files to the test site. If the attempt is successful, the damage to the site would depend on the kind of file uploaded, and what it was intended to do.
Take a look at the address bar to see what we’ve tried to do.
Now don’t get confused… We named the files to be uploaded as “revslider” so that it would be accepted more easily by the plugin.
Running the test
Again, we only checked out the Firewall Log, since this attack was unsuccessful.
Firewall Log for Arbitrary File Upload
Here is what the Firewall Log said:
3. Brute Force Attacks
As mentioned earlier, to protect against Brute Force attacks, NinjaFirewall has a separate option called Login Protection.
Testing NinjaFirewall against Bruteforce attacks
Just to test its effectiveness, a colleague of mine, Vijay, tried launching a Brute Force attack against the website using Hydra, a tool that helps test websites and crack admin credentials.
Running the test
We launched a Brute Force attack against the site when we’d set the “Enable Brute Force Attack Protection” to “No”. This is what Hydra got us:
As you can see, the attack was successful, and Vijay was able to get the site admin’s login credentials.
Then, we went ahead and enabled the Login Protection feature:
Vijay then launched the attack again. This is what Hydra’s log said:
A quick look at how the attack was reported in NinjaFirewall’s Firewall Log (this shows how the attack was let through, and then stopped):
4. Remote File Inclusion (RFI), Arbitrary Code Execution, and Backdoors (a custom hack)
We used TimThumb because it was a plugin that was widely used, and exhibited a vulnerability that allowed for millions of WordPress sites to get hacked. This test was therefore meant to check the basics of the firewall.
Testing NinjaFirewall against Remote File Inclusion and Arbitrary Code Execution
For this, we used the (currently defunct) Pict.Mobi widget, that used TimThumb (v 1.28) on the test site. Obviously since the RFI exploit would need a hackfile to be included from a remote location, we also created another site that would host the bad file.
We took the approach a hacker would: we first confirmed that the (test) site used TimThumb, and that it used a vulnerable version.
Then selected a very small file (in this case, it was a 16X16 .png icon), and modified it to contain PHP code.
Next we used the TimThumb vulnerability to include the file remotely to the test site. Note that the file was PHP, which means that any time it was accessed, it would run.
Sure, it was an image file, so it could easily bypass the site’s usual sensors, but the PHP code could still be accessed, and executed.
Testing NinjaFirewall against Backdoors
We wanted to kill three birds with one stone, so we made sure to create an encrypted shell for the PHP code on the image before we uploaded it.
Running the test
We then extracted the code from the hackfile shell, just like a hacker would:
And then ran it.
NinjaFirewall didn’t stop the attack.
We think it was because NinjaFirewall has a list of rules for what attacks should look like, in a section called Rules Editor.
Click on the drop-down, and you see the list of rules that NinjaFirewalls follows:
These rules are internal to NinjaFirewall, so you can’t see what exactly each rule entails.
The attack we performed though, didn’t exactly go by the rules of how the attacks worked.
The results of the tests are as follows:
The log didn’t pick up on the hack. In fact, it only listed the backdoor we’d tested it for.
The firewall didn’t detect changes in files. We were still able to list the files in the WordPress directory.
We didn’t expect this feature to remove the malware, because it’s only a scanner.
Unfortunately, it didn’t find the infected files. We were under attack, and this is what the anti-malware feature said:
No blips on this feature either.
Unresolved issues with NinjaFirewall
Since this is a review of the entirety of NinjaFirewall, we didn’t only test it against vulnerabilities. We also checked for issues other than those of protection. Most of these issues are documented on NinjaFirewall’s forum on WordPress, or on its online documentation.
● Anti-Malware scans time out
The Anti-Malware feature on NinjaFirewall allows you to scan files in a particular directory for your site for malware (by default this is/var/www/html/wordpress/).
The thing is, by default, this feature scans your site for malware in files that have been created or changed in the last 7 days. You can change the time period (or Timestamp) or even make it zero, in which case it scans your whole site.
However, when if your website is on a shared host, there is one major problem you could face: the Anti-Malware scan timing out.
The feature stops scanning your site after a certain time period that is set by your web host. This means that if you have too many files on your site, the scan will get cut short. Your site could never get fully scanned, unless you try some workarounds, (like this one suggested by the NinjaFirewall team). This is probably why NinjaFirewall’s Anti-Malware feature also has the two options of “Ignore file extensions” and “Ignore files/folders”:
While there isn’t anything NinjaFirewall can do to change the timing out of the scan, it is a huge drawback for users who want to scan their sites.
● The Anti-Malware feature uses only signatures to detect malware
This is a widely-used method to identify malware and viruses, but it doesn’t catch everything. This is why most security scanners use it in combination with other approaches. Hacks utilize vulnerabilities on your site, but how bad code is run on your site depends completely on how hackers want to carry out the attack. So the ‘signature’ of malware could always be altered in small ways so as to escape detection. This is why, as we explained earlier, our exploit of the vulnerabilities in the Pict.Mobi plugin allowed for RFI, Arbitrary Code Execution and Backdoors on our test site.
● The firewall modifies .htaccess files
NinjaFirewall backs up the PHP INI and .htaccess files that it has to modify, but modifying the .htaccess file in itself can wreak a lot of havoc on your site. The .htaccess file controls a lot on your WordPress site. One of its more obvious functions is access control (i.e. which users are allowed to your website), but it also dictates how files with certain extensions run on your site. This is why any minor slip-up with this file could cause your server to majorly malfunction. Just to be on the safer side, we recommend that you perform a backup of your entire site rather than just the .htaccess file. That way even if something breaks, you can always roll back to a working version of your site.
● Modifying the .htaccess files and php.ini files slows down your site
.htaccess allows you access to the configuration of directories on your website even if you don’t have your hosting server’s (eg: Apache) main configuration file.
This means, when your site is configured to direct traffic based on the modification made to .htaccess, Apache has to look for, and load all the .htaccess files on any request made to your site. As a result, your WordPress site’s load time increases.
It’s a good way to direct traffic when your main server configuration file isn’t accessible, but otherwise it isn’t a great thing.
● The firewall interrupts backup operations regularly
NinjaFirewall triggers false alarms when WordPress backup plugins are run, sometimes doesn’t allow backup plugins to backup the site. The firewall also has to be disabled before migrating your site to a new IP address.
● Can’t manually install NinjaFirewall
As mentioned earlier, NinjaFirewall might log you out of your WordPress site and deny you access if you use an FTP client to make changes to it, or even uninstall it. Anything that you need to do with respect with this plugin has to be done from your WordPress dashboard.
The NinjaFirewall seems like a powerful tool against known attacks that occur according to their signatures. But the thing is that most hackers know these signatures, and know that most security measures protect against these signatures. So they modify the signatures to perform more successful, and at times, most devastating attacks.
Alerting of attacks after they’ve taken place isn’t something a lot of website owners can afford, especially with the damage hacks can wreck. However, having a hack-cleaner might help you scan for, and remove malware that causes the damage. In any case, it’s always important to have a dependable backup service for your WordPress site.
Did you like this review of NinjaFirewall? Would you like to see other firewalls tested too? Let us know in the comments!
Permalinks, or permanent links, are the URLs that point to specific web pages on your WordPress site, be it individual posts/pages or category/tag archives. They are meant to remain the same, indefinitely. Permalinks are what people enter into their browsers in order to view your web pages, to read your content. They are what search engines (and other websites) use to link to your site. One can therefore say that permalinks are the gateways to your website that play an important role in overall site optimization.
The Default WordPress Permalink Structure
WordPress, by default, uses a permalink structure that takes the form of a URL followed by a query string that identifies the pertinent post ID. For instance, if N is the post ID number, the default WordPress permalink structure would be www.websitename.com/?p=N.
This default permalink structure is unreadable to humans, and hence, is termed to be ‘ugly’. Ugly permalinks are neither user-friendly nor search engine friendly. It is therefore recommended that you switch to a more SEO friendly WordPress permalink structure.
Other ‘Pretty’ Permalink Structures in WordPress
In addition to the default permalink structure, WordPress offers the following permalink structures for you to choose from:
Day and Name: Here, your page URL will include the year, month, and date that a post was published, followed by the post name. Month and Name: In this case, your page URL will be two characters shorter than the previous case, as it includes only the year and month that the post was published, and of course, the post name. Numeric: Here, your page URL will simply include the ID of the post (again, not very SEO friendly). Post Name: Here, your page URLs will include the post name alone, making them short and memorable. And so, most WordPress users prefer to use this permalink structure for their websites. Custom Structure: Here, you get to create your very own permalink structure by making use of one or more of the following structure tags:
%postname% – stands for the post slug
%post_id% – stands for the post ID
%category% – stands for the category the post was published under
%year% – stands for the year the post was published
%monthnum% – stands for the month the post was published
%day% – stands for the day the post was published
%hour% – stands for the hour the post was published
%minute% – stands for the minute the post was published
%second% – stands for the second the post was published
%author% – stands for the name of the author who published the post
Out of the structure tags mentioned above, the first six are more commonly used than the rest.
The above permalink structures are better organized than the default one, making it way easier for both visitors and search engines to navigate to your content. They help optimize your SEO and attract more and more users to your site. These permalink structures are often referred to as ‘pretty permalinks’.
Some Permalink SEO Tips
Include the post name in your permalink; it is what matters the most – from both SEO and user perspective.
Use simple and short permalinks that are less than 100 characters in length. So even if your article title is longer than usual, remember to cut it short in the URL, so that it falls within the 100-character limit (it’s best to use 3-5 words in the URL slug).
While it is advisable to include a keyword in your permalink, refrain from stuffing it with keywords (that’s just shabby).
Avoid using stop words (like a, the, is and are) in your permalinks. For instance, if your article title is ‘Stop using stop words in your permalinks’, you can leave out ‘in’ and ‘your’ from your page URL.
Use hyphens as separators, not underscores. So, for the article title mentioned above, a good page URL would be: www.websitename.com/stop-using-stop-words-permalinks.
Changing Permalinks on a Live Site
It is wise to choose a permalink structure for your WordPress site at the beginning itself. Changing the permalink structure of a live site, especially one that’s been running for more than six months, can drastically affect your SEO rankings. If you want to change your permalinks and avoid antagonizing users and search engines, here’s what to do:
change the page URLs from the back end
301 redirect all the previously used URLs
To ensure that you don’t mess up, it’s a good idea to make a complete list of the previous URLs as well as what they’ll be redirecting to. And if you don’t want to get your hands dirty, you can always hire a professional to setup the redirects for your site. In spite of all this, you’ll still be losing all your social media share counts though, no changing that.
A pretty permalink structure is no doubt more user-friendly and SEO-friendly than the default one WordPress provides. It is always advisable to define your website permalink structure right at the beginning of your WordPress journey. However, if you should ever reach that point on the road where updating the permalink structure of your site means better SEO, then go for it! Just make sure to properly redirect your old URLs to the new ones.
And yeah, do remember to keep your site completely backed up before changing the permalink structure on your live site.
We at blogvault arrived at a situation where we needed to convert some of our pages into posts. One’s common sense will tell to create a new post – copy everything from content to title as in page to the new post – delete the old page and finally publish the post! This should work great is your permalink is set to wordpress default (or you have some custom setting that handles it somehow using the id). But in our case our permalink setting was:
So when we visited the new (post) link after deleting the old page, we got 404 – Page not found!
Understanding the issue
As you can see the same thing works for a particular permalink setting but fails for another. This can be explained as – wordpress maintains a common (database) table for both post and page under the name ‘wp_posts’. As each entry in the table has its own unique id, when we try to locate them using id in permalink (as wordpress default) we face no problem.
However its not the same with our permalink setting. Due to some reason, on deleting a page (or post) from admin panel, wordpress does not immediately remove their corresponding entry from the database. So when resolving the address by post name, wordpress finds the earlier entry (page in our case) which is marked deleted, hence giving the 404 not found error.
One simple solution is using plugins exclusively made for this purpose. Some of them are:
Couple of days earlier, a team member pointed out to a discussion in a WP community on Facebook. The lady in question had suspicious files in her site due to a broken plugin. She poured out her doubts, feelings as well as queries for the fix she needed through multiple posts. That underlying feeling of being trapped, of being cheated was unmistakable. It was akin to having someone break into your house whilst you are still there and enjoy your property at your expense, unknown to you. She admitted to feeling bad and understandably so. Since the only alerts that she was used to, were plugin updates, the shock of it all was only too imaginable.
What had happened, in brief was, that on logging in, she noticed a security alert, which she verified with another security check. One can only imagine that she was sincerely hoping and praying that the worst was not true and it was just some overlooking on her part.
That was however not the case. She quickly started posting on what she thought were the options open to her.
The first option was to review logs for which each entry would have to be checked from the back-end so as to find the issue at hand. This could be impossible if there is too much data to go through or limited information at hand. There are cases where the logs are lost or may be difficult to decipher.
Secondly, she could backup, do away with the contents of the problem site and restore. However, what if the backup also had the hack? How does one be sure that all contents of the backup are clean? The only way to do this, would be to run a security check after restoring.
It was only too obvious that she was thinking loudly through her posts and that these were the multiple thoughts running through her mind. The community reached out to her. Common solutions given were:
a) to back up everything- this is useful especially since a backup can save much time and effort in restoring a site.
b) update all plugins – Often older versions of plugins contain vulnerabilities which are exploited by hackers. Hence it is advised to update the plugins to their latest versions.
c) clear cache.
d) look in Temp folder – Hackers at times upload malware in the temp folders and hence cleaning them is advisable.
e) Look for files with suspicious code. Malware at times contain certain strings like base64_decode or eval. Searching for files with such code can help identify malware too.
The lady got back shortly with a second post wanting to know if she should access files through FTP or SFTP or take backup and restore her site. One suspected malware and she double checked every move she made. Loss of faith would be the natural thing in such cases, it is after all a breach of security.
She was unsure whether she should access the WP admin or not. One needs to be wary of logging into the admin when hacked since the hacker might have left some code to track the password used to login. The above is a possibility. For safety in such cases, the password can be changed using phpMyAdmin or FTP before logging into the WP Admin.
She got helpful responses for her second post as well. It was really heartening to see so many people reach out to someone, eager to help out. That set the ball rolling. She posted each step of action taken, waited to hear back on comments so that she could gauge her way out of the mess her site had become.
She was not only somehow wanting to fix the issue but also keen to find out where the issue started first. She seemed to be taking notes on what to do and what not to do going forward. The nomenclature of the diseased plugin seemingly added to the confusion and frustration. The site appeared to have been affected by the Slider Revolution hack
At the end of the week, when it was thought that an issue had been solved, lessons had been learnt, she posted again. She had received an alert about the installation of a plugin that her host had added to her freshly cleaned site. Clearly, she had hit the panic button hard. Help was at hand, so was empathy. The community member who had suggested she check changes on her site with her host, also posted that he imagined being in her shoes and it was not a good feeling. She stated that her host provider was frequently updating plugins without permission. While that may be part of the problem, it is not the core issue.
Though she had zeroed in on the folder with the malware, the key concern would be to find out how the break in happened and fix it accordingly. Frequent security checks and identifying possible hacks can save you from a lot of grief.
All in all, a scare, though very unpleasant to recount, does keep us on our toes. So, how do you protect your site?
As soon as you have a new post ready on your website, it would be great to update your twitter followers so that they can read the post. It is very convenient to be able to do this automatically whenever you have a new post. There are several WordPress plugins that provide this functionality. Let us take a look at one such plugin –“WP to Twitter”. This plugin can be searched and installed from the WordPress plugin repository.
This plugin connects your WordPress website to your twitter account so that a new post can be automatically tweeted. Once installed and activated, this plugin is ready to be configured with your Twitter API keys and Access tokens by creating a Twitter application.
We shall see how to obtain the keys from thetwitter applications registration page. Fill in the application name and your website URL (the Callback URL also needs to be the same) to create the twitter application.
Your Twitter consumer keys will now be created. Please note that it should not be shared with anyone.
Here you can see that the default Access Level is “Read-only”. If you want your Website to post to Twitter automatically, you will need to have “Read-Write” permissions. Change this by clicking on “Change App Permissions” link or button above. Or you could do it from the “Permissions” tab as well. You can then create the access tokens by using the button – “Create my access token” at the end of the page.
You will get the tokens displayed on the next page. This again should not be shared with anyone. Make a note of these tokens and keys and enter them on the WP to Twitter plugin settings on your dashboard.
You have now successfully connected your website to Twitter. There is an option to shorten URLs as well. There are also advanced options to set up Google analytics, Add custom texts before or after tweets, chose not to send tweets by default etc. You can also select which category of posts you would like to publish.
Once the settings are saved, you will now see your posts beings updated on your Twitter account.
You can also change the settings using the metabox available on the right sidebar of your post editor. You can customise your Twitter post, or chose to not tweet this particular post.
WP Summit, hosted by Jan Koch is an online event happening from March 16 – March 25, 2015. The summit will bring together, WP experts on the same platform to talk about their take on subjects ranging from WordPress, website design, content marketing, copy writing and many more. Use their best insights to build your online business and add value to your WordPress blog.
Noted speakers include –
Rand Fishkin, founder of Moz.com
Oli Gardner, co-founder of Unbounce
Dan Norris, founder of WP Curve
Tony Perez, CEO & co-founder of Sucuri.net
Tim Paige, Conversion Educator at LeadPages
Natanael Oliveira, CEO of Marketing com Digital
Andy Crestodina, Author of Content Chemistry
Tomaz Zaman, founder of Codeable
Akshat Choudhary, Founder, blogVault, has been invited to speak on Backups and Security. He will be speaking on 24th March 2015. All interviews will be available for free for a limited time.
Sign up at http://thewpsummit.com/ to hear from 24 world-renowned experts and learn how to build a WordPress site with the winning edge.
If you love to travel, you would want to have a travel blog at some point. It can help you in the following ways-
You can connect with like minded travellers and even find some company for the next trip
You can journal all your travel experiences and photographs in one place to share with family and friends
You can even make some extra money with your blog! Or try to find sponsors for your next trip!
These are just some of the reasons to have a travel blog, there could be endless reasons!
Here is a quick and easy guide on how to set up a travel blog using WordPress. WordPress is a powerful medium to setup your travel blog as it supports various features that enable you to seamlessly share photographs, videos and also include maps on your website. The basics of setting up a website using WordPress has been discussed in the article “Setting up a WordPress site from scratch”. Once you have your blog up and running you will need some of the following essentials to turn it into a fabulous travel blog.
Themes and other customizations – First and foremost, your blog needs to look good to attract readers. Visual appeal can be the most powerful one in generating traffic for your blog. Fortunately, you do not need to spend too much time or effort trying to do some web designing. There are various themes (both free and paid ) available in WordPress to customize for your travel blog and also improve the appearance. Themes can be accessed from the Appearance Menu of your dashboard. As a start, you can search for a travel based theme and apply it to your blog.
Your blog can be further customized with the various options under the “Appearances” menu. You can choose the colour scheme, header images, menu and sidebar layout etc.
You are just back from a grand tour of a major continent like USA or Europe and have covered a lot of places. Wouldnt it be great if you could mark off all these places on a map and show it in one shot to your readers ?
You are trying to create a travel wish list and would like to mark places that you want to visit in the near future. A map with these markers would surely grab the attention of readers and they would want to explore your blog.
Again, adding a map to your blog either in a post, page or as a widget is very easy. There are various plugins for this purpose. A map also makes your blog instantly look better ! Lets see that below !
Once you have a nice travel story to tell, you would like to highlight it with some great pictures. A good picture can turn a ordinary blog post into an extraordinary one. Or if you just have a few words to say, you can add more pictures to your post. Or just have pictures in a post and let them do all the talking ! The choice is yours.
Photos can be added to your travel blog in several ways. The simplest thing to do is to upload the relevant photos to your post or page using the “Add Media” option on your “New Page” or “New Post”. You can upload files from your PC. This could be cumbersome if you have too many photos to upload, or if you want to showcase a gallery on your blog. Also the pictures can take up too much of storage space. An alternate solution is to add photos from your Flickr account or Google plus account onto your blog. There are several plugins for this purpose.
This is how a photo gallery would look on your blog ! The reader can see the thumbnails and even click on them for larger images. Different plugins offer different features and display options for your photos.
Adding videos to your blog – When you have a travel blog, it would be great to add some videos as well. Imagine that you did some adrenaline rushing adventure sport like bungee jumping in New Zealand. Words cannot describe how you felt during the jump. But you have a short video clip that could do wonders to explain the adventure ! Or you just travelled through some really scenic rail route in Switzerland and you have several videos capturing the change of landscape and scenery. Your blog would be more meaningful with these video clips added to the posts in addition to photographs.
While videos can be uploaded to your blog, it is recommended that you upload your videos to one of the popular services like YouTube and embed the video on your blog.
The video can be seen on the blog post as shown in the below example.
Organizing your posts – You can organize your posts into Categories so that they can be browsed and indexed easily. For eg. you can have the categories of “Beaches”, “Temples”, “Mountains” for your various travel destinations and experiences.
You can add a New Category from the Categories option under the Posts menu. You can create hierarchies in the categories as well. In the following example there is a Category called Asia and then India under it. The hierarchy can be specified by choosing the Parent category option.
The categories show up on the sidebar of your blog for easy browsing of posts/articles.
Some useful plugins for your travel blog
Apart from the plugins discussed above for adding photos, videos and maps on your WordPress site, here are some useful plugins for your blog.
WP smush.it plugin – This plugin can be used to compress and optimize the images without losing image quality on your WordPress site so that the page loads faster.
Social media icons – There are various Social media icons plugins available from the WordPress plugins repository. They help you to add social media icons like Facebook, Twitter etc to your blog which enables the user to connect to your Social media pages with one click.
WordPress related posts – This helps you to add related posts as thumbnails at the footer portion of your posts and increases your internal traffic as the readers get to see more articles of their interest.
SEO by Yoast – This plugin helps to get your blog or website indexed with search engines and also rank higher in search results. This has been discussed in detailed in an earlier article – WordPress SEO by Yoast.
Jetpack- This plugin provides various features for customization, traffic, mobile, content, and performance tools
WP to Twitter – This plugin is useful to automatically update your twitter feed whenever there is a new post.
These are just some tips to get you started on your travel blog, and with WordPress, the options to make your blog interesting and captivating are endless. Do visit wordpress.org for more possible customizations for your purpose.
Blogvault was started by Akshat
Choudhary in 2007. Based out of
Bangalore, India, we are a complete
backup service with over 10,000
customers from across the world.