I had created a Wordpress website www.saftech.ae sometime back (end Jan- strt Feb). The website was working alright till I had last checked on 10th March 2014. A few days back I was informed by my colleague that the site is not opening. On going on the website I was greeted with a URL blocked by the service provider stating the material on the site comes under the Restricted Content Categories.
I tried opening my wordpress account but got the same page of URL being blocked. I couldn't even access the cpanel directly and I had to open it via the IP address. Being a first timer at making a website, I don't know what to look for in such a situation. I opened the files via an FTP client and on opening the .htacess file , I found the following code in it,
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
What does this mean? Is my website compromised? How do I confirm? What should I do incase the website is compromised?
I have already shot a mail to my service provider and called the support team innumerable times but have not gotten any help from their end till now. Kindly help.
So, I requested the third party host where my website is being hosted to run a scan and I was told that my site had been compromised due to a phishing attack which may have been caused by one of the themes. I removed all those files, added more security plugins but now my site has been blacklisted on PhishTank and McAfee. I have already send them a request to review the website again. What else can I do to unblock my website?
I too have the same problem with my wordpress site. It works every where except certain fire walls would block it. In my case McAfee blocks it on certain IP addresses. I don't think what you describe means that your site is compromised, it is just that your firewall categorizes some of the scripts in your site as belonging to a malicious category. If you have lately Installed any new theme or any new plugin, Try getting rid of that and it should work.
Moreover I am also getting blocked to visit your site due to McAfee settings.
My website is finally unblocked and working perfectly. This mess had started from the twentytwelve theme which was already present in wordpress when I had started using it. The twentytwelve theme was vulnerable in my case which led to the whole phishing site being hosted on my domain.
All I did was remove the whole twentytwelve theme folder, sent review requests to Phishtank and McAfee where my website had been blacklisted to unblock it and constantly kept bugging my ISP to unblock the website. It took almost 10 days for my site to come back online.
Also,I added Sucuri and Wordfence security plugins with email alerts for any kind of changes or logins.
PS: I would advice people to just keep the theme they are using and remove all the other inactive ones. I am using the responsive theme and today I had to remove twentythirteen theme as the file was modified but not by me.
Related
ok we have some HTML5/js pages in directories (in WP 'uploads') on a Wordpress site.
We only want LOGGED in WordPress users to be able to view them.
There were a couple of similar questions here on Stack but when we tried them
their solutions did NOT work for us primarily due to our WordFence and AIO security
plugins, that make adjustments to wp-config and htaccess
We got this code below to work by placing the htaccess in the directory with the
HTML:
#--get file name being accessed and check
RewriteCond %{REQUEST_FILENAME} ^.*(html|mp3|m4a|jpeg|jpg|gif|png|bmp|pdf|doc|docx|ppt|pptx|)$
#--if file being accessed is index.html check for cookie
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
#--execute 403 if no cookie found
RewriteRule . - [R=403,L]
**BUT **it is easily fooled by creating a WP style cookie that fools the "check"
Hoping someone has a better idea that is a little more secure?
None of the PHP solutions we found here so far have worked, (we tried about a half dozen) mostly for the reasons mentioned above. Some of the solutions here are over 10 years old or not related
on our config (Centos 7.6, Plesk Obsidian, PH 7.X, WP 6.1x) or were a little brief :-)
(Oh and my tech guy has COVID)
Sid
Some further info: I do apologize, but my tech is unavailable (hospital, critical care) so I don't have specific examples of everything tried previously. I DO know that involving an include of wpload.php created errors because of our security plugins (Wordfence, AIO security)
We can test anything suggested.
Plugins like ACC do not/did not work - they are focused on WordPress and WordPress Users - protecting WP posts, pages, etc. They are just not designed for restricting access to stand-alone HTML from NON-WP visitors. We tried several (including ACC and and they collided with our security and membership plugins.
Any solution I suspect will involve php and htaccess to control non-WP users/visitors.
I am sorry, but I am not sure what/how the 'use a template' would work.
You can use ( AAC = Advanced Access Manager ) WordPress plugin for restrict access to an HTML page on wordpress site to only logged in users
Use a plugin like User Specific Post
To restrict your specific page in the edit screen. If you have any question about the plugin ask the plugin author or wordpress.org forum.
everyone I recently migrated my website from one host to another host (ionos to plesk vps), using all one migration plugin website migrated successfully but the website homepage URL shows "too many redirects"` the problem is the only homepage url is not working specifically but all my website pages, url, posts, and WordPress dashboard loading correctly.
I am using Cloudflare for dns & ssl, elementor, woocommerce, etc on my website, When I shift my website back to the old IP (host), the website works but in the new host website homepage url is not working.
the website only works when I disable the Cloudflare proxy so that means the problem is coming from the Cloudflare
fix I try:
Changing the site url
Changing Cloudflare ssl mode to full, flexible, and full strict
creating a default .htaccess file
I try to open the website in incognito mode and another device
disabling the plugins etc (but nothing working for me)
If anyone can help me with this it would be greatly appreciated
I'm experimenting trying to build a web app for an idea that I had. I wanted to basically have people log in over Facebook (so I won't be handling passwords anyway), and add in their student email address (ie .edu). Then, this information would be stored in my site's database.
I realized that since this is potentially sensitive information, it might be a good idea to encrypt--and I wanted to figure out how to use SSL anyway. I installed the certificate and used .htaccess to redirect visitors to the https site... Then I noticed that the jQuery EtherPad plugin I was using had stopped working. Presumably, I will eventually figure out a better fix for using EtherPad, but I was wondering anyway, if there's any purpose to using SSL on the entire site or if it is correct. I had heard that it makes a lot of sense to use https only when users are entering secure information, ie login.
Additionally, I can't quite figure out how to do this. If you enter my site's name, it redirects the homepage to https. Furthermore, from there, any links remain https. However, if you enter a folder ie /about, it will use http until the user goes to the homepage.
Any advice? I hope this is specific enough. I read several other pages, but they were too dense for me and didn't seem to address my specific question. I am a web development and stackoverflow noob.
Below is my .htaccess file. I have a vague understanding of what it means, but not exactly.
RewriteEngine On
RewriteCond %{HTTP_HOST} ^website\.com
RewriteRule (.*) https://www.website.com/$1 [R=301,L]
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} folder
RewriteRule ^(.*)$ http://www.website.com/login/$1 [R,L]
i read the other threads about this topic but i couldn't find anything that i felt could apply in my case. It seams pretty basic though. I have a website built in php with apache server. In this moment all the traffic is done via http. The people who paid for the site, now want to move it to https. They bought a certificate and the web server hosts will install it. What changes do i need to make to make it work via https, besides changing the redirects within the code?
I also found this link which seems pretty helpful, but i think maybe it's too complex?
Thank you,
Alex
You should change your resource links (like external JavaScript references such as jQuery) in the site where there are hard-coded paths in http://domain.name/some-link-here to just //domain.name/some-link-here. This will prevent the browser from complaining about mixed-mode content.
For links that are on the same domain, you could use absolute/relative URLs.
After that you can place and .htaccess such that any URLs accessed on the domain would automatically redirect to the HTTPS version. Place the following lines as the first rule in the file
.htaccess code:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
The .htaccess will also take care of any hard-coded links (towards the same domain/site) that you might have in your site and that you have missed.
I was wondering if it is possible to block certain things from running through server.
Example. I am apart of ad network and some of the ad's are sexually suggestive. I have asked to not get these ad's on my page but was told they can't control the delivery network to block only adult ad's.
Is it possible in apache or htaccess or something to program the url's of the "dirty" ad's and have them not show up to the end user??
Sorry if my question is worded poorly. Thanks.
The below code in htaccess denies access to sexualwebsite.com:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^https?://([^.]+\.)*sexualwebsite\.com [NC]
RewriteRule .* - [F]
</IfModule>
Replace sexualwebsite with whichever domain you want to block. Source: http://davidwalsh.name/block-domain
Usually ads are not actually served by your server but injected into the page on the client using Javascript. Nothing you modify on your server would affect which ads are being pulled in by that client-side script.
It's might technically be possible to have some additional Javascript to monitor the ad-serving script and disallow the loading of an ad, but it would be a hack and would break if your ad provider changes something. It would also probably violate your ad provider's terms of service resulting in you not getting paid.
The only reliable way to control which ads are being served is by some API or control panel that would have to be provided by your ad network. If they don't offer this functionality, then there's probably nothing you can do about it.