I created a website,
A lot of bots crawled my website daily basis.
There are more bots than I have users
Please give me a solution without dropping my users.
Note - If user request my url from localhost how can i disable it.
<?php
function _bot_detected() {
return (isset($_SERVER['HTTP_USER_AGENT']) && preg_match('/bot|crawl|slurp|spider|mediapartners/i', $_SERVER['HTTP_USER_AGENT']);
}
?>
Related
I need to restrict access to a page only if visitor came from specific wordpress page(s).
I have been Reading here since morning and most answers I see discourage the use of "just" referrer because it can be spoof.
I do not know much about php security and vulnerabilities. My only aim is to "discourage" users bookmarking the page and access to it directly. I need to validate visitors on our wordpress website and point them to the page only when they are authenticated.
Currently what I came up so far is this.
<?php
$ref = $_SERVER['HTTP_REFERER'];
$theOrigins = array(
'http://mysite.tld/?page_id=x1',
'http://mysite.tld/?page_id=x2');
$validRef = false;
if (in_array($ref, $theOrigins)) {
$validRef = true;
}
if (isset($_GET['passkey']) && ($_GET['passkey'] == 'thePasskey') && $validRef ) {
?>
<show html page>
<?php
} else {
//echo 'You are not supposed to access this page directly';
header('HTTP/1.0 403 Forbidden');
exit('Forbidden');
}
?>
This is mostly based on the answer in this post
What is the best way to password protect folder/page using php without a db or username
I am planning to add the solution in this page
http://thisinterestsme.com/restricting-access-referrer/
But according to this post,
Passing PHP Session Value
wp does not use sessions
Is this instruction on how to use wp session no longer applicable in current wp versions?
https://silvermapleweb.com/using-the-php-session-in-wordpress/
What are my options?
Thanks
Moin,
if you know that what you are trying to do is insecure (possibility to manipulate the HTTP header HTTP_REFERER), you could try to be less specific about the allowed URLs. Maybe just check for the right host:
if(strpos($ref, 'mysite.tld') !== false && $_GET['passkey'] == 'thePasskey')
{ ... }
According to Tweet Button documentation (https://dev.twitter.com/docs/tweet-button/faq#count-api-increment) posted article must be accessible with HTTP response code 200, to allow Twitter counting your articles.
Current set up of our website is this:
1. article URL has following link: /post/:date/:title
2. link which is shared via Twitter is: /:date/:title (I don't know why - I didn't design it)
3. when someone is accessing the second link, backend code is performing 301 redirect to the first link
To fix Tweets counting I need to serve response code 200 with JS script code to perform redirect(e.g. window.location = '...'). But it will break 301 redirects for Google bot crawling the website, which is something we want to avoid (SEO reasons).
So the only solution I see is to leave 301 redirect, and serve different one only to Twitter, when it's trying to curl my website.
But how to do it?
I've just found a solution to my problem.
According to Twitter docs (https://dev.twitter.com/docs/cards/getting-started#crawling) Twitter is using Twitterbot user agent, and basing on this I write following snippet of code:
if( strpos($_SERVER['HTTP_USER_AGENT'], 'Twitterbot') !== false ) { // for twitter counting
echo('<script type="text/javascript">window.location = "/post/:date/:title"</script>');
die;
}
else {
header('Location: /post/:date/:title', true, 301);
die;
}
Hope it helps someone in the future.
I've been googling for days now and have come across different ways to secure folders (htaccess, using a PHP page with a password) but these don't tackle my issue.
The problem:
I need to have a site where different clients can access ONLY THEIR content. Client-A needs to be able to access all their Flash content and websites. Client-B and Client-C need to do the same but none of them can access each others content (even by directly linking to it). A username/password system won't work because each client has 400-1000 users and neither myself or the client has time to manage all these users.
I looked into htaccess and htpasswd but I prefer not to use any username/password combo's. Ideally, I'd like a "secret word" or "passphrase" I could pass from an iPad app or Air program to the server to get the content I need. Anyone have some ideas on the best way to handle this?
EDIT: To simplify things... I want to have HTML sites and Flash swf's above my web root and be able to display them to users. How can I make this happen? I have HTML sites that use relative links so using php's readfile() causes these sites to break since those links aren't correct.
What RDBMS are you using ?
With mod_authn_dbd and a basic authentification you would be able to do so.
Something like this,
AuthType Basic
AuthName "My Server"
AuthBasicProvider dbd
# core authorization configuration
Require valid-user
# mod_authn_dbd SQL query to authenticate a user
AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
If you have control over the software which sends the requests, you could add an own X-header to every request which identifies the user.
With apache_request_headers() you can get your own request header from the request:
http://www.php.net/manual/en/function.apache-request-headers.php
==============
Edit after first comment:
Some code for example:
globals.php
$headers = apache_request_headers();
$key = $headers["X-Authorization-Key"];
$authorized = checkAuthorization($key);
if(!$authorized) {
header('HTTP/1.1 403 Forbidden');
echo "Access denied!";
exit;
}
//... db connection or something else to get user specific definitions, paths, ...
//e.g.:
$user = $users[$key];
define("CONTENT_PATH", "/var/www/mypage/data/".$user);
function checkAuthorization($key) {
//... db connection or something else where the authorization-information are stored in
//check whether the $key is in the auth-info and return true / false for the result
return true; //or false
}
in every script on top:
<?php
require_once("globals.php");
//... work with the user specific definitions, paths
include(CONTENT_PATH."/...");
//...
What you do is when the user creates their login account, they have the option to select what group they are using. Then when page info is displayed, it displays the normal page, but with the permissions name included in it. You would have to build 3 seperate content pages, but they would only see what the content of their chosen group.
homegroup1.php
homegroup2.php
homegroup3.php
if the user is in group one, the direct would be home"group".php for the display. It would call for the group on the site they go to.
Here's where I'm at:
I have a Wordpress plugin that allows for subscriptions to be in place, and uses the Paypal IPN. This plugin denies access to certain pages based on whether a user has an active subscription.
I have another plugin that allows for one time payments for a different service. This takes the user to Paypal, and redirects them to a page where they can upload videos. These videos can only be uploaded after payment, but anyone can access the page by direct URL...
How can I limit access the this upload page?
So I'm not sure if you want to do this with JavaScript or PHP... PHP would be more reliable (people can turn off JavaScript,) but ultimately, the referrer can be altered by a user if they are really keen to bypass any measures you put in place, so bear that in mind when implementing this.
The best way would just be to have an if statement checking the referrer, and if it isn't an acceptable referrer, just redirect them.
<SCRIPT LANGUAGE=JAVASCRIPT TYPE="TEXT/JAVASCRIPT">
<!-- Hide script from old browsers
if (document.referrer != '[Only Allowed Referrer URL]')
{
window.location = "http://not.allowed.to.view.site";
}
//-- Stop hiding script -->
</SCRIPT>
or
<?php
if ($_SERVER["HTTP_REFERER"] != "[Only Allowed Referrer URL"])
{
header( 'Location: http://not.allowed.to.view.site' ) ;
}
?>
I haven't fully tested the above code, but something like that is what you want. Basically, if it isn't from an "allowed" referrer, redirect to an error page.
Again, using the referrer URL to deny or grant access to a page isn't that reliable, but if you want to do it, something like that is what you need. Also be wary of things such as the URL may sometimes have "www." at the beginning, sometimes may not. There may be variations of the URL that you will want to consider in your if statement.
I assume that you are using something like this in your paypal form:
<input type="hidden" name="return" value="http://mydomain.com/verify.php">
If so, in this page: http://mydomain.com/verify.php you must verify if the transactions was right. Instant Payment Notification - Code Samples stuff, correct? Well, if this verification is invalid you deny all further processing (uploading video).
Otherwise you redirect to let's say http://mydomain.com/upload.php:
header('Location: http://mydomain.com/upload.php') ;
Now, in the uploading page you put at top:
if ($_SERVER['HTTP_REFERER'] != 'http://mydomain.com/verify.php')
{
die('get out of here!');
}
I'm owner of some web site with dozen of web pages. Pages were made by using PHP. Before some time I discovered that some guys by using Joomla CMS and wrapper menu option included starting (login page) there and on this way confused members and other visitors, especially because "window" of wrapper isn't enough big and some information on my page aren't visible. On this way visitors connect these pages with me and get bad feeling about whole my site. I contacted these guys but no answer, then I tried to solve it by using $_SERVER['HTTP_REFERER'] super variable but I didn't get right and working solution for this problem. Someone experienced similar problem? Thanks.
EDIT - This is the code
$HTTP_REFERRER=%SERVER['HTTP_REFERER'];
if ($HTTP_REFERRER) {
// check if the referrer is on your noentry list
// if so redirect it to another page
if ($HTTP_REFERRER == "www.mean.visitor.com") {
echo 'referer is' . $HTTP_REFERRER;
die;
} // shows the referrer and formats ur local harddrive echo "You came from $HTTP_REFERRER";
} else {
//everything is OK
}
from the code you posted the first problem i see it's on the first line:
$HTTP_REFERRER=%SERVER['HTTP_REFERER'];
should be
$HTTP_REFERRER=$_SERVER['HTTP_REFERER'];
Then in the second if you must insert the web addresses you want to block. so change
if ($HTTP_REFERRER == "www.mean.visitor.com")
with
if ($HTTP_REFERRER == "the address yo want to block")
And write die() instead of die.
has something changed?