CleanTalk's blog

Tag: wordpress

For WordPress users, checking existing comments for spam

CleanTalk offers more protection from spam bots to sites by WordPress. The new version provides a unique opportunity to test existing spam comments.

CleanTalk adds new features in CleanTalk Anti-Spam, our solutions are reliable, easy and efficient. Work of the module is absolutely invisible for visitors and allows to renounce forever the ways of protection complicating communication on the website (CAPTCHA, question and answer, etc.). CleanTalk allows you to automate protection from spam and registering of spam bots.

Cloud anti-spam service CleanTalk released a new version of the anti-spam plugin for WordPress, the new version has a unique function of automatic check for spam of the existing comments on the site.

This allows administrators of the Web sites automatically check and identify spam bots comments, which were not detected by conventional anti-spam tools.

This function is present only for WordPress, it will gradually be introduced for other CMS.

CleanTalk identifies spam bots, using its own algorithms to estimate the parameters visitor, on the basis of these tests is formed its own database of spam bots. Checking existing comments is made on the basis of the nearly 2 million of certain spam bots. Detailed statistic allows CleanTalk customers to control the whole process.

“The team CleanTalk has been developing a cloud spam protection system for four years and has created a truly reliable anti-spam service designed for you to guarantee your safety”.

Download the new version anti spam by CleanTalk for WordPress

April 7, 2015
Limiting the number of password attempts in the web login form using Nginx or HAProxy by way of example of WordPress
By the example of WordPress consider a method for enhancing security by limiting the number of HTTP-requests to the form of entering the password. This helps protect against brute force published a blog (search and crack the password by trying all possible scenarios of a particular set of characters, or the selection of a dictionary of common passwords). This method, in principle, can be used to protect other Web applications.

The task can be realized using Nginx module ngx_http_limit_req_module [1] acts as a front-end to the Apache Web server or FastCGI, or via HAProxy [2, 3], acts as a load balancer in front of web servers.

In both cases, the algorithm works as follows. When authentication browser refer to the addresses containing the substring “/wp-login.php”. It is necessary to keep track of it and to limit the number of requests from the same IP without affecting circulation to all other addresses. Block settings must be chosen in such way as not to create a normal user inconvenience. Especially attentively should be configured to lock when the authorization form uses a large number of users with the same IP-address.

Method №1: Nginx
```
http {
<...>

limit_req_zone $binary_remote_addr zone=login:10m rate=15r/m;

server {
listen 80;
server_name frontend.example.org;

location ~* /wp-login.php {
limit_req zone=login burst=4;
proxy_pass http://backend:8080;
<...>
}

location / {
proxy_pass http://backend:8080;
<...>
}
}
```
Block settings:

limit_req_zone $binary_remote_addr zone=login: 10m rate=15r/m; Sets an area of shared memory, which stores the state for different IP-addresses. In our case, the state is stored in the zone “login” size of 10 megabytes, and the average speed of query processing for the zone can not exceed 15 requests per minute. The processing speed can be specified in requests per second (r/s) or requests per minute (r/m).

limit_req zone=login burst=4; sets the login area and the maximum size of the burst of requests. If the requests rate higher than described in the area, their processing is delayed so that the request is being processed at a given speed. Excessive requests are delayed as long as their number does not exceed the maximum size of the burst. When exceeding the request fails with the error 503.

Method №2: HAProxy

In this section of the backend, serving our blog, add the following lines [2]:
```
tcp-request inspect-delay 10s
tcp-request content accept if HTTP
# brute force protection
acl wp_login path_beg -i /wp-login.php
stick-table type binary len 20 size 500 store http_req_rate(20s) peers local
tcp-request content track-sc2 base32+src if METH_POST wp_login
stick store-request base32+src if METH_POST wp_login
acl bruteforce_detection sc2_http_req_rate gt 5
acl flag_bruteforce sc1_inc_gpc0 gt 0
http-request deny if bruteforce_detection flag_bruteforce
```
Upon detection of POST-request to the page /wp-login.php saved hash of three elements: header HTTP Host, URL-path and IP source. Identified on the basis of the hash the user can make requests for five to 20 seconds, the sixth request will be blocked.

Sourses
1. Module ngx_http_limit_req_module – nginx.org
2. http://blog.haproxy.com/2013/04/26/wordpress-cms-brute-force-protection-with-haproxy/ – blog.haproxy.com
3. Better Rate Limiting For All with HAProxy – blog.serverfault.com
This text is a translation of the article “Ограничение количества попыток ввода пароля в веб-форме авторизации при помощи Ngnix или HAProxy на примере WordPress” published by foboss on habrahabr.ru.

Anti-Spam by CleanTalk.
February 12, 2015
84% of the WordPress site can be hacked: What’s Next?
```
CleanTalk is a SaaS spam protection service for Web-sites. CleanTalk uses protection methods which are invisible for site visitors. Connecting to the service eliminates needs for CAPTCHA, questions and answers and other methods of protection, complicating the exchange of information on the site.
```
If you often read IT-news, you probably already tired of the horror stories about another vulnerability that was found in the popular OS / database / CMS / coffee maker. Therefore, this post is not about the vulnerability and about monitoring how people react to it.

But first – a few words about “the villain of the peace”. Critical vulnerabilities in popular WordPress blogging engine was found in September by the Finnish specialists from companies with funny name Klikki Oy. Using this hole, the hacker can lead as a comment to the blog a special code that will be executed in the browser of the site administrator when reading comments. Attack allows you to secretly take over the site and do unpleasant things under the admin access.

Here’s how easy it looks like in practice. Go to the blog by WordPress and enter a bad comment:

Next we see a specially crafted comment allows to bypass checks and conduct XSS-attack:

After capturing admin permissions an attacker can run their code on the server that is hosting the attacked blog, that is, can develop an attack on a broad front. Now is the time to remember that just recently 800,000 credit cards were stolen by a bank trojan which was distributed across WordPress sites.

This vulnerability applies to all versions of WordPress 3.0 and higher. Problem can be solved upgrade engine to version 4, where no such problem.

And now about the actual reaction. Finnish security experts discovered a vulnerability reported it to the vendor on September 26. At the time of this writing, that is, two months later after finding renewed no more than 16% of users of WordPress (see diagram on the title picture post). What Finnish experts concluded that all the other 84%, that is tens of millions of users of this engine in the world, stay potential victims.

In fact, the victims will certainly be less because there is a small additional condition for the operation – need the opportunity to comment on posts or pages (default is available without authorization). However, we are interested in here is the lifetime of vulnerability, and in this case it is possible to observe in real time – to monitor the statistics update WordPress here. Although you probably already understand the meaning of these figures: don’t lock the barn door after the horse is stolen.

We also follow the intruders attempt to exploit this vulnerability “in the wild”. To do this, use a network attack detection based applications PT Application Firewall. The mechanism of intrusion detection based on the analysis of anomalies in this case worked well, and we did not have to add the signature. In other words, PT AF elicited this “0 day” from the very beginning:

At the moment, the vulnerability exploitation attempts is already found. They can not be called mass – but if you have an older WordPress, should still be updated.

This text is a translation of article “84% сайтов на WordPress могут быть взломаны: что дальше?” by ptsecurity published on habrahabr.ru.

Forums and blogs without spam

CleanTalk is a SaaS spam protection service for Web-sites. CleanTalk uses protection methods which are invisible for site visitors. Connecting to the service eliminates needs for CAPTCHA, questions and answers and other methods of protection, complicating the exchange of information on the site.
December 10, 2014
Accelerate WordPress
```
CleanTalk is a SaaS spam protection service for Web-sites. CleanTalk uses protection methods which are invisible for site visitors. Connecting to the service eliminates needs for CAPTCHA, questions and answers and other methods of protection, complicating the exchange of information on the site.
```
WordPress in the standard setting is quite slow. By default, the engine does not use some features of modern web for significant acceleration. There are a whole bunch of plugins to optimize WordPress. Let’s put things in order and undergo a major optimization to accelerate WordPress.

Before we begin, let’s see what shows raw installing WordPress on Pagespeed:

Result 76 out of 100 is pretty low. Let’s see how you can increase this figure.

Server part

Ngnix

If you’re not already using Nginx, it’s time to move on it. Simple and powerful solution. Configuration for supporting permalinks and static caching:
```
server {
        server_name wp.com;
        root /var/www/wp; # way to WP
        index index.php;

        location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
                access_log off;
                log_not_found off;
                expires max; # statistics caching 
        }

        location / {
                try_files $uri $uri/ /index.php?$args; # permalinks
        }

        location ~ \.php$ {
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
        }
}
```
PHP cach

If you do not have any special reasons why you can not install APC, turn it necessarily. Checks for APC (in response to obtain a list of settings APC):
```
php -i | grep apc
```
In PHP versions after 5.5 has a built-in module opCache, so it will not have to put the APC.

Tuning Mysql

WordPress uses InnoDB, which means we can significantly increase productivity of MySQL, adjust the number of parameters (file my.cnf) under our hardware:

The size of the buffer InnoDB is better to put in half the available RAM:
```
innodb_buffer_pool_size = 256M
```
Do not forget to include the caching of MySQL:
```
query_cache_size = 32M
query_cache_limit = 1M
```
Caching

This is the most important point. Caching can give a significant acceleration of the site and save server resources. For clarity, we will use ab from Apache. Verify the standard install WordPress without caching. The request is sent through a local network, so the delay is nothing but itself does not create a WordPress:
```
ab -c 10 -n 500 https://wordpress/
```
Obtain the average time of about 50ms on request:
```
Total transferred:      4183000 bytes
HTML transferred:       4074500 bytes
Requests per second:    17.62 [#/sec] (mean)
Time per request:       567.421 [ms] (mean)
Time per request:       56.742 [ms] (mean, across all concurrent requests)
Transfer rate:          143.98 [Kbytes/sec] received
```
Chrome shows the average wait for the response at 150 ms (the server is in the Netherlands):

WP Super Cache

This plugin allows you to enable caching literally in one action. Besides the default settings, it contains a large number of settings for tuning the cache. Download plugin, activate it in the control panel and turn on the cache

With the included WP Super Cache obtain a reduction of the average time per query 25 times (!):
```
Total transferred:      4293500 bytes
HTML transferred:       4146500 bytes
Requests per second:    499.01 [#/sec] (mean)
Time per request:       20.040 [ms] (mean)
Time per request:       2.004 [ms] (mean, across all concurrent requests)
Transfer rate:          4184.61 [Kbytes/sec] received
```
Average absorption waiting for reply in Chrome decreased by 3 times:

As an alternative to server-WP Super Cache can use Varnish. It reduces the time to process a request for nearly an order of magnitude, but the solution is less flexible (well suited for blogs without elements of dynamics).

Styles, scripts and images

Minification and Compression

Minification CSS / JS can save 10 … 15% of their size. To enable a module minification statics WP Minify. Download it, activate, and the module starts. Gzip will reduce the size of the text files into several times. In Nginx activated as follows:
```
server {
...
gzip on;
gzip_disable "msie6";
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
...
}
```
Optimizing images

Pictures can be very large part of the overall page size. Lossless compression of images can save 30 … 40% of their size. This module is able to do EWWW Image Optimizer. For it to work you will need to install imagemagick and library gd:
```
apt-get install imagemagick php5-gd
```
Good practice and experience
- It is best to choose a VPS hosting for WordPress. Shared hosting on many of the above can be done. In addition, VPS now cheap enough
- Check the topics using Pagespeed before use
- Clean trash
- Delete old revisions of posts
- Remove spam comments
- Unplug trackbacks to moments when everything becomes very slow
- Share RSS via feedburner
As a result

We’ve got a raw install WordPress to disperse about 100 times on the page generation time (we included Varnish) and increase the rate at Pagespeed from 76 to 93:

This text is a translation of article “Ускоряем WordPress” by golotyuk published on habrahabr.ru

Forums and blogs without spam

CleanTalk is a SaaS spam protection service for Web-sites. CleanTalk uses protection methods which are invisible for site visitors. Connecting to the service eliminates needs for CAPTCHA, questions and answers and other methods of protection, complicating the exchange of information on the site.
November 11, 2014
Anti-spam plugin for WordPress, version 2.33 on Feb 13, 2014
Ready to use the updated version of the anti-spam plugin for WordPress, changes,
- Added notice about automatically approved comment. The notice shows only for first approved comment and only for new commentators (without approved comments) of the blog.
- At WordPress console added banner for system notices.
Archive with the plugin cleantalk-spam-protect.2.33.zip.
February 13, 2014
Updated anti-spam plugin for WordPress on Jan 29, 2014
Ready to use the updated version of the anti-spam plugin for WordPress, changes,
- added protection from spam to form comments JetPack.
- fixed cURL error «Expect: 100-continue» when connecting to servers automatic moderation.
Archive with the plugin cleantalk-spam-protect.2.31.zip.
January 29, 2014
Updated Anti-Spam plugin CleanTalk for WordPress
In the new version of anti-spam plugin for WordPress made the following changes:
- fixed bug with displaying PHP warning for sites with PHP version 5.4.
- fixed bug with checking comments Administrators, Authors and Editors of this blog.
- plugin settings «Filter messages containing stop-words», «Language system messages» removed from the control menu plugin. These settings are now available in the control Panel service.
Archive cleantalk-spam-protect.2.4.10.zip.

PS
We welcome Your feedback and are estimated plugin CleanTalk on the website wordpress.org (registration required)!
July 25, 2013