Dear Diary: Roll on Spring

Dear Diary,

I. am. knackered.

Dear fucking god, I am knackered. Someone at work had a family crisis this week and had to rush home. I was halfway through my shift, and they had only just started theirs. Guess who’s the only other person who can do their job? Uh-huh. I ended up doing my job, followed by their job. And I had to do that for three days. Believe me, trying to cram 16 hours of work into as close to a normal shift as possible is… well, impossible, but I managed something close to it. Now, though, I’m wiped, and consequently I’ve not been doing much in SL for most of this week; mainly logging in to clear inventory offers, check the store’s okay, and just sit on a couch and vegetate. I barely even shopped! How knackered am I? Well, I slept for nearly ten hours last night, and I almost never  do that. Anyway, hopefully my colleague will be back on Monday, so normal service etc should be resumed.

This is our beagle in SL. His name’s Smeagol the Beagol. (Daros named him. Can you tell? XD) I kinda know how Smeagol feels right about now:

As a result, there’s not much in the way of SL stuff to update you with in this post, but I’ve got a bit of blog stuff. First of all, since I’ve been both vegetating and  frazzled when I’m home, I’ve been reading a bit more and listening to more (if that’s possible) music. I thought it might be interesting to run a page wherein I document my current activities in that vein, so look in the sidebar for a new page, called Currently…

On that page, you will find my current: reading, listening, wearing (SL), making, and wishing. I doubt I’ll update it on a weekly basis, since I don’t read as much as I used to and it’ll take me more than a week to get through one book (I can read quickly, but with my 4am start for work I’m usually at the point of nodding off once I’m comfortable with a book in my hand) but I’ll keep the previous weeks’ lists at the end of each post so you can catch up if you miss any. I hope you can find some new music, or something interesting to read, from that list. You might be surprised by my first book choice, but don’t be. It’s a damned good one, and I read around a lot  of different subjects.

Now, back at the end of January, I was concerned about the number of spammers hitting the blog. You can read the post here – Spanking Your Meat – and what I did about it (including my alarm on, having installed some security plugins, seeing how many people were constantly trying to hack  the blog). I promised at the end of that post to update you on what I’d done, and show you what the stats were for February, after taking those security measures, so here’s that update.

First of all, I soon found out who the worst culprits were, country-wise, for both hacks and spam. You might be surprised at the spam locations, but probably not the hacks.

Hack attempts primarily came from: Ukraine, Belarus, Russian Federation, China. Oh, and rather weirdly… Henderson, USA.

Spam primarily came from: all of the above, plus France, Germany, and Kansas City. Yep, somewhere in the Mid States we have Spam Queen and Hacker Central.

Offending ISPs became clear over the month, as well. In Germany the prime ‘baddy’ was LeaseWeb. In France it was OVH. In Ukraine it was Kyivstar. I got to the point where I was hunting down entire IP blocks for those ISPs and banning them using the WordFence Advanced Blocking option, and in some cases, boy that really worked…

Let us begin in a surprising place: Minneapolis. Home of His Royal Princeness, but someone was trying to Purple Rain on my parade, because look at this:

Now… WHY would someone from Minneapolis be so interested  in all things ‘user’ and ‘admin’, huh? Could it be because of this?

Bet your fucking life it was. No way, Mr Comcast Business User at IP number 50-78-225-33; you’re not getting to my admin login panel after trying to sniff out a list of names of all users on the blog, nor are you hitting it with a packetstorm. Thanks to Wordfence and Bad Behaviour, he was stopped in his tracks.

Here’s just one IP block of the French OVH spammers:

More blocks. Wowrack is a server farm and is used by a lot of spammers. That ‘randomosity’ tag gets hit hundreds  of times a day. It’s one that I’ve used a lot, therefore it contains a lot of content (and a lot of images) which get sucked down by site scrapers, thereby increasing my bandwidth usage. The ‘suspicious suffixes’ IP was adding dodgy-looking code to the end of links it was trying to grab. And there’s another block of the good ol’ Leaseweb spammer IPs:

I also blocked the Russian Yandex search engine spider (hosted, oddly, in Palo Alto, US). Because YOW, that bitch doesn’t obey the robots.txt command I have to only crawl every few hundreds of seconds. Look at how many hits have been blocked!

More French OVH spammers:

Wordfence will also tell you who logged into and out of your blog (including yourself) and it logs failed attempts. Oh look, Kansas City and Henderson again! Oh, and OVH. *snerk*

Another load. Lots of confused Americans around here. These ones are trying the default ‘admin’ username.

The spam and hacks from Ukraine and China were getting so bad that I couldn’t keep up with it. Hunting down the hundreds of IP ranges for two countries (lists do exist on the interwebs, but each one is hundreds of ranges long, and I don’t have the time to copy/paste individually) was a nightmare, so in the end I forked out for the paid version of Wordfence, purely for two reasons:

  1. The plugin works and works well, thus I’m happy to support it
  2. The paid version lets you block entire countries from accessing your site

Yep, that’s what I had to do in the end. So, if you’re from China or the Ukraine, unless you’re using a tunnel or a TOR-like proxy, all that you’ll see when you try to access Virtual Bloke… is this page.

Finally, I promised you a screenshot of my Askimet spam filter results for February. It had halved since January, which is mainly a result of the security plugins, the .htaccess file and improved robots.txt files. It’s a work-in-progress, and you can see that March is already gearing up to be a bit of a bad month again. Now, though, the spam is coming mainly from the US, Germany, and France. I’m still working on this, so over the course of the upcoming months those totals should go down a bit more.

They did get one thing right in their failed attempt to hack, though:

So totally am ;-)

 

Spanking your meat

Hrm? What? *butter wouldn’t melt* (No, seriously; it wouldn’t. It’d frazzle.)

If you hadn’t come to expect a smidge of innuendo from me by now, then I’ve been slacking. What sort of meat-spanking did you assume I meant? Most likely not this sort:

Yeah, since I’ve had this blog the number of spam comment attempts has risen and risen until they went through the roof. Thank fuck for the Askimet plugin, is all I can say. But, even with Askimet installed, I still had to trawl through the multiple spam attempts per day, to ensure that no legitimate comments had been filtered out (such as for including more than one link, which WordPress automatically flags as potential spam, by default).

I started Virtual Bloke in May of 2013. As of just now, these are my basic spam stats:

That’s a fuckton of delicious processed meat, y’all. Monty Python would’ve been proud. At which point, naturally, we must pause for this:

Anyhow. I’d noticed two things about all of these attempts to spam the blog:

  1. Invididual posts were getting hit at a rate of two or three comments per hour. It got so bad that I actually disabled commenting on the worst offenders (these ones were getting upwards of ten comments per hour). But it went in phases. Never the most-recent post; always one that was a couple of posts back (I guess in the hope that I wouldn’t notice it).
  2. Even though each of these individual posts was getting hit (example: my One of Our Lindens Is Missing post got hit by spam comment attempts almost 60 times over the course of two days) these hits weren’t registering in the blog stats.

#1 wasn’t surprising, since I’d been spotting (and deleting) pingbacks where those individual posts were getting spammed as links  on various forums and other blogs. But #2 could mean only one thing: it was referrer spam, because the bots that dish out referrer spam don’t actually hit the page itself; they simply access the comments.php form, and that doesn’t register a hit on your stats.

This was, weirdly, good news, because there’s something you can do about referrer spam, and it involves a simple edit to one file in your directory: the .htaccess file. Most sites have one, and it’s a bloody handy file. I wasn’t sure of the exact commands to insert into the file (only that I knew I could use it to block referrer spam) so I went a-googling.

I found what I was looking for in the WordPress Codex (click here and scroll down to ‘deny access to no referrer requests’, then down further to ‘deny access referrer spammers’). Note how, in the first instance, you’re sending the spam-bot back onto itself (in much the same way a good HOSTS file redirects your computer to itself when it tries to show ads and blocked sites, effectively rendering it unable to show said ads etc).

In the second instance you can actually block individual referrer URLs. The Codex states:

Once you know which referrer URL you’d like to block, and believe me you’ll know, you can keep them out [ etc. ]

Believe me, I did know. If you’re getting referrer spam, you’ll see the same URLs cropping up as the ‘personal websites’ of these spammers time and again, viz.:

It goes without saying that, if you try to visit any of those sites? You’re daft enough to deserve anything that happens :p

The [name].adsuse spam had stopped, but I was still getting hit multiple times by the [name].usabestads and [name].adsboards spammers. So I not only added the first section of the referrer redirect to my .htaccess file, I also blocked those URLs directly, like this:

# BLOCK referrer spam
SetEnvIfNoCase Referer usabestads.com spammer=yes
SetEnvIfNoCase Referer adsboards.com spammer=yes
Order allow,deny
Allow from all
Deny from env=spammer

NOTE: No, that’s not a mis-spelling of ‘Referrer’. It has to be spelled ‘Referer’.

Prior to doing this last night, I was checking the spam stats every two hours, and that Lindens post was getting two to three comments every single hour. I edited .htaccess, then went to bed. I checked again this morning.

Not a single spam comment.

I checked again at each of my work breaks. Again, not a single comment. If I’d not added those two sections to .htaccess then, going by history of two comments per hour, that post would have received (between 9pm and 12 noon the next day) approximately 30 spam comment attempts.

It was only when I got home and checked again at around 3pm that I finally had a spam comment attempt, and it wasn’t referrer spam. In short, this shit works. Granted, it’s only been one day, but every single day so far has seen at least 10-20 spam comment attempts from these referrers, and today I’ve had just one ‘traditional’ spam comment attempt.

If you’re enduring the same batshit-annoying referrer spam on your (self-hosted; sorry, but you don’t get an .htaccess file if you’re not hosting your blog on your own website) WordPress blog, I want to share this with you.

– Look in your root directory for your .htaccess file and use your FTP client to download it to your hard drive.
– Make a backup copy of the original and stash it somewhere safe.
– Open the file using Notepad or any other simple text editor (NOT Word!)
– If there’s already stuff in the file, add everything I’m about to paste below after it.
– First, add the following:

# BAN Spambots
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*YOURWEBSITE.COM* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

– Replace YOURWEBSITE.COM with your own website URL. Don’t include the www bit.
– Leave a line, and then add the following:

# BLOCK referrer spam
SetEnvIfNoCase Referer SPAMURL.COM spammer=yes
SetEnvIfNoCase Referer SPAMURL.COM spammer=yes
SetEnvIfNoCase Referer SPAMURL.COM spammer=yes
Order allow,deny
Allow from all
Deny from env=spammer

– Replace SPAMURL.COM with the URL of the referrer (example: usabestads.com – again, no www or anything).
– Save the file. It should begin with a period/fullstop and have no suffix, so make sure you just save it as .htaccess
– Upload it to replace the old .htaccess file.
– Check to make sure your site’s still working. If it’s all good, leave it be and just watch your spam stats. Hopefully, like mine, they will reduce drastically.

These are my full Askimet stats since I began the blog. I’ll be keeping an eye on this, to see if the totals for February are much lower than recent months:

The spam subjects come in waves. In November and early December (killer months, both) I was getting an insane  amount of spam about NFL jerseys. Interspersed with all of that is the usual kidney disease, diabetes, Vuitton/Gucci/etc handbags bullshit. Sadly, the side-effect of having a blog about fashion (even if it’s virtual fashion) means that you get a ridiculous amount of fake designer clothing and accessories spammers trying it on.

And, seriously, if making this post means I can help one more frustrated blogger rid themselves of this fucking annoying shit, then it was worth it. Let me know how you get on, if you give it a go.

UPDATE #1

Since making this post, I’ve installed two further WordPress plugins. The first is Bad Behavior. Within half an hour, I could see exactly why  the blog has been loading so slowly for me. TENS of brute force attempts to log in via my wp-login.php file, to hack the site and gain access to it by using the default ‘admin’ username (HUGE hint: never, ever keep your WordPress login username as ‘admin’) and random passwords. We’re talking literally one attempt every second. Now, I know that WordPress regularly gets attacked in waves like that, but it was clearly the reason why the site was running so slowly for me. Here, this will give you an idea. Check out the times:

09:44:32, then 09:44:34, then 09:44:35. Every. Single. Second. In fact, between the times of 09:41:15 and 09:44:35 (read that closely: it’s a space of three minutes and twenty seconds) that IP address made 163 attempts to log into my site as the admin user.

Woah, mama. What the hell to do about that?!

I did some googling and found out how to block all access to my wp-admin files, unless the originating IP is my own personal IP. The article for how to do that is here (scroll down to ‘Limit Access to wp-admin by IP’). Or, you can just add the following to the .htaccess file you’ve already created, changing  YOURWEBSITE.COM to, well, your website.

NOTE: Even though I’ve used the <code> command to paste this text, WordPress has still stripped out some coding. Please ensure that you replace the bright orange [ with an opening caret < and the bright yellow ] with a closing caret >

# BAN access to wp-login
[IfModule mod_rewrite.c]
RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?.YOURWEBSITE.COM [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
[/IfModule]

Following on from that, I made some further .htaccess changes to deny access to wp-config.php. Again, substitute the [ and ] as before, with opening and closing carets.

[files wp-config.php]
order allow,deny
deny from all

Lastly, I installed the Wordfence plugin, as a final (and pretty damn awesome) security tool. This offers scanning of all files on your server, comparison of all themes and plugins and WordPress files against their up-to-date repository, to inform you if anything has been hacked or changed. It even has a live traffic tool. *waves* to the Baidu crawler which has accessed the site four times in the last 2 minutes*

So what’s happened after that? Well, after a heart-stopping moment when my entire site went pouf on me (after I forgot to change FTP directories and uploaded a rather important file in a place where it didn’t belong – oops?) overall, it’s suddenly started running like shit off a shovel for me. About ten times faster than it was before. Wordfence, plus the .htaccess edits, seem to be stopping all access to the hackers, as Bad Behaviour’s logs are no longer full of repeated attempts to login. I’ll keep monitoring over the weekend, and update this post with my findings.

UPDATE #2

Just 15 minutes of watching the live traffic tool told me that the Yandex bot (Russian search engine) was crawling my site every minute or so, and trying to access images as pages. This is another thing that is probably slowing the site, so I’ve blocked the Yandex bot via my .htaccess file, too. As before, replace the coloured square brackets with opening and closing carets.

SetEnvIfNoCase User-Agent "^Yandex*" bad_bot
[Limit GET POST]
Order Allow,Deny
Allow from all
Deny from env=bad_bot
[/Limit]

UPDATE #3

Well, it’s now Feb 2nd, and I’ve gone from Askimet catching up to 30 spam comment attempts per day, to… just three in three days. All thanks to my .htaccess edits, and those two WordPress plugins. It’s actually quite unnerving to see the attempts to hack your login page, in real time. One thing you MUST make sure you do is ensure that you don’t have an administrator account on WordPress called ‘admin’. If you log in as ‘admin’ then you’re asking to get hacked, as that’s what the hackers go for.

Once February is done (and if I remember) I’ll post a screenshot of my Askimet stats again, so you can see the dramatic drop in spam that’s getting through to be caught by the filter.

Further reading

WordPress Codex: Hardening WordPress
WordPress Codex: Brute Force Attacks
WordPress Codex: Combating Comment Spam/Denying Access