Further articles of the series

Grand seigneur of firewalls

In the article series about the WordPress Security Plugins everything was already available. Strong firewall solutions for a lot of money, economical and yet very effective firewalls and also many plugins, which in the end only helped the "normal" Check off security settings that beginners unfortunately often forget or cannot implement due to lack of knowledge. Also VaultPress has been helping with WordPress Security for a while now. In part 8 of the WordPress Security Plugins now comes the classic, the grandseigneur if you like, because the Blacklist and .htaccess Tricks of Jeff Starr are actually very famous and have been widely used for years. Even before the whole world was aggressively worried about the security of their blogs, Jeff Star created his ingenious blocklists and his fantastic BBQ (Block Bad Queries) Plugin for WordPress. For more than 10 years, the developer has also been tinkering with firewalls and knows his way around the WordPress scene. Time to take a closer look at the current block list and the latest version of BBQ, because I was waiting for this release (which was a long beta) before I wanted to present the plugin to you. Now it is finally ready.

BBQ Security Plugin

The WordPress Plugin BBQ is not so new for regular readers, because very early I came across this ingenious extension and she recommended. BBQ is based on the blocklists of Jeff Starr (more on this in a moment) and filters accesses with dangerous content or unnecessary parameters. This makes sure that many "odd" Requests disappear from now on and potential attacks cannot be exploited because BBQ completely blocks or redirects the corresponding parameter in advance. Thus the WordPress Security Plugin controls all accesses and sifts out malicious content accordingly. Very effective, very simple. Not for nothing the Free Version of BBQ currently not a single negative rating, not for nothing has Jeff Starr made a name for himself. Meanwhile the plugin is also available as Pro Versionwhich shows statistics and enables further, also manual filters. The price is with 15 dollars more than fair and the purchase pays off quickly, also because there are regular updates and Jeff Starr is not just anybody, but a real WordPress professional, who put it into my List of important personalities for bloggers ...to the end of the day.

6G Firewall for WordPress

But the BBQ Plugin for WordPress is essentially based only on the already mentioned blocklists, which each of you can also integrate independently via .htaccess into your blog. These blocklists have been around for years and they are constantly being adapted, improved and extended. The big breakthrough came with the 5G Firewall, which was so effective that even some security plugins copied it. The latest one is called 6G Firewall and finally contains the final code of the 6G Beta, which caused some problems in the WordPress area. These problems are now solved and the final 6G Firewall is available for download ready. It contains some valuable lines, the most important of which I would like to break down and explain in the following paragraphs. Also a general explanation of the functionality.

Minimalist block list

The biggest advantage that the 6G Firewall offers is the simplicity of its design. Simple and minimal .htaccess code, no unnecessary ballast and each line finely sorted. This is, especially compared to some fat firewall plugins for WordPress, a real boon. Finally, a firewall ideally also provides better performance, because it sifts out and blocks the nonsensical hacking attempts and attacks, which relieves the server. Through the "fat" Making some plugins, however, this advantage often disappears, or at least disappears slightly. The 6G firewall on the other hand does not need PHP or MySQL and controls all HTTP requests for certain patterns or known insecurities. So it does what many security plugins do, but more effectively and with much less effort.

6G Firewall .htaccess

To use the 6G firewall blocklist you have to add the code from the bottom to the top of your .htaccess. The sections work completely detached from each other, so you can also remove parts of it if you have problems with them. In general it is advisable to integrate the whole section, because each section has been tested and optimized for its purpose.

# 6G FIREWALL/BLACKLIST
# @ https://perishablepress.com/6g/

# 6G:[QUERY STRINGS]

	RewriteEngine On
	RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
	RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
	RewriteCond %{QUERY_STRING} ([a-z0-9]{2000}) [NC,OR]
	RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
	RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
	RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
	RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
	RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
	RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
	RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
	RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
	RewriteRule .* - [F]


# 6G:[REQUEST METHOD]

	RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC]
	RewriteRule .* - [F]


# 6G:[REFERRERS]

	RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000}) [NC,OR]
	RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
	RewriteRule .* - [F]


# 6G:[REQUEST STRINGS]

	RedirectMatch 403 (?i)([a-z0-9]{2000})
	RedirectMatch 403 (?i)(https?|ftp|php):/
	RedirectMatch 403 (?i)(base64_encode)(.*)(\()
	RedirectMatch 403 (?i)(=\\\'|=\\%27|/\\\'/?)\.
	RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&?)/?$
	RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")
	RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)
	RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
	RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
	RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
	RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php


# 6G:[USER AGENTS]

	SetEnvIfNoCase User-Agent ([a-z0-9]{2000}) bad_bot
	SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
	
		Order Allow,Deny
		Allow from All
		Deny from env=bad_bot
	


# 6G:[BAD IPS]

	Order Allow,Deny
	Allow from All
	# uncomment/edit/repeat next line to block IPs
	# Deny from 123.456.789

The User Agents and IP's you can and must of course adapt to your own wishes, or remove these sections completely. For example, there are some quite aggressive bots in Germany that should be locked out. Here you may also find the well-known IP banlist, which contains updated and German-adapted lists for bad bots and IP addresses delivers.

Performance and security

The thing about firewalls and block lists always boils down to the same thing in the end. Malicious bots and requests are blocked, which reduces the load on and access to the server. This in turn results in better performance and correspondingly higher security. Because certain patterns are also specifically blocked, typical attacks can be prevented in advance. Who wants to block some IP's or special bots, which appear conspicuously often in the logs or are up to no good. Of course, a manually maintained block list via .htaccess is not as simple as a plugin in the style of Ninja firewallbut it is more efficient and avoids unnecessary detours. If you are not familiar with it, you can also use the BBQ Pro Plugin, which also uses the mechanisms of the 6G Firewall, but only via the path of the classic WordPress Plugin. All in all a very clean and well thought-out solution that can be realized either by hand or via a plugin for your own blog. Be sure to have a look!

About Christian

My name is Christian and I am co-founder of the platform fastWP. Here in the magazine I am responsible for the more "technical" topics but I like to write about SEO, which has been my passion for over 10 years now.

Leave a Comment

Your email address will not be published. Required fields are marked *

en_GB