loading...
404 Redirected Plugin as Anti Hacker Tool
I have a habit of using software and plugins for purposes other than they were designed for, so using the WordPress 404 Redirected Plugin to identify hackers fits in with my use of iTunes to stress test PC’s, and similar odd application uses.
404 Page Not Found error logs are useful tools in the arsenal to prevent malware, spambots and hacking. Any system (not only 404 Redirected) that logs 404 errors along with the source IP can be used to identify where these attacks originate from, and block access to the website from these IPs.
First: Identify IP Used by Hacker
In the never-ending war against hackers and malware, the first step is to find out where the hacker is coming from. This is where errors discoverred by 404 Redirected are extremely useful. Failed hacking attempts can create an error log entry… 404 “Page Not Found”.
We can use clues to find suspicious activity; 404 errors from URLS containing words like ‘admin’, ‘upload’, ‘timthumb’ are all examples of hacking attempts unless the IP is your website or Internet conection IP. Often these and similar words will be somewhere in the query string or url that caused the 404 error. Timthumb.php and thumb.php are also found sometimes using 404 Redirected. There may often be a file name ending with the .php or .js extension as well.
Suspicious Activity is Found, What Next?
When a suspicious looking URL is found, we can find the IP in the log entry for the 404 error message (using 404 Redirected). An IP is a string of numbers e.g; 178.137.166.209 (by the way, this is a hacker’s actual IP, so block it now).
Once we have found a suspicious IP, use a web service that records bad IP’s to check if this is a known bad IP. Project Honeypot is one of these services, and is free to use. Some discretion is needed, or one could end up blocking regular visitors as well – hackers can use shared IP’s e.g. mobile internet connections. But any IP identified in a Honeypot list as a known source should be blocked.
Blocking IPs Found By 404 Redirected
How to block an IP from bad addresses found using 404 Redirected will depend on your hosting server. CPanel will usually have an easy to use IP Deny manager; simply add the IP to the list using this tool. Other server set-ups may require you to manually edit the .htaccess file. If you take the .htaccess route, add this line of code to the file: “deny from 178.137.166.209” (without the quotation marks, and use the discovered IP!)
Sample of .htaccess code:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
<Files 403.shtml>
order allow,deny
allow from all
</Files>
deny from 178.137.166.209
deny from 86.96.226.87
deny from 124.115.10.68The sample (without the added ‘deny from’ lines) is generated by WordPress on installation. the sample IP’s used in the example are all known bad IP’s; used by either hackers or comment spammers.
Final Note:
There will never be an all encompasing single step to protect against hacking and malware. The methods described in this article should only be thought of as one of these, and not an answer by itself. The same information can be found elsewhere, particular in server raw access logs and error logs. These logs should also be used to identify rule breakers.
The use of 404 Redirected as a tool to beat hackers simply adds the convenience of ‘page not found’ information available from the WordPress dashboard (as well as a practical way to manage broken links and 301 redirects).
Happy blocking!
+Mike Otgaar