Today’s tutorial left me wondering about finding the most appropriate solution for what appeared to be an attempt to hack my customer’s WordPress website.
If you’ve been around the Internet long, especially if you own and operate a website, then chances are you’ve interacted with a website running WordPress. And while WordPress is the go-to content management system for nearly 75% or more website owners, it doesn’t come without its fair share of technical headaches.
The latest I recently discovered was a customer’s WordPress website attempting to be hacked. I didn’t notice it a first, but then I started seeing the WordPress search log bloat to a ginormous size like never before.
Once I could finally down the gigs of data, I soon discovered variations of searches that included “think\app\invokefunction:”
- /Index/\think\app/invokefunction
- /aa/bb/name/${@print(md5(chaonan))}
- /Index/\think\Container/invokefunction
- /user/\think\app/invokefunction
- admin/\think\app/invokefunction
- api/\think\app/invokefunction
- index/\think\app/invokefunction
- index/\think\Container/invokefunction
- \think\app/invokefunction
I wasn’t familiar with this phrase but soon found that it and all other variations were attempted security breaches using the ThinkPHP framework to exploit vulnerabilities within the framework.
Once again, I’m puzzled why hackers would even attempt such actions because the customer’s website is built on WordPress, not the ThinkPHP framework.
However, further investigation revealed that ThinkPHP is an open-source PHP framework developed and maintained by Shanghai Topthink Company. It operates under the Apache2 open-source protocol and is specifically crafted to support agile web application development and simplify the creation of enterprise applications.
Nonetheless, I devised and hatched a plan to block and disallow all identified variations using .htaccess, and here is what I came up with:
1 2 3 4 |
RewriteEngine On RewriteCond %{QUERY_STRING} (Index|Container|app)%5C [NC,OR] RewriteCond %{QUERY_STRING} (admin|user|api|index)%5C [NC] RewriteRule ^ - [F] |
Now it’s worth noting that you may have to tweak this code if it interferes with your standard search queries. Other than this, you should be ready.
Open a web browser and visit your website. Try performing searches using the blocked search phrases mentioned earlier. If everything is set up correctly, you should receive a “403 Forbidden” error page, indicating that the search phrases are blocked and denied.
And if .htaccess isn’t your cup of tea because a lot can go wrong tampering with this file, then by all means, try this nifty WordPress solution. Don’t hesitate to contact us should you run into any technical challenges.
Thanks, and that’s all for now!