[wp-hackers] Zombies aimed at WordPress

Roy Schestowitz r at schestowitz.com
Thu Oct 13 15:16:27 GMT 2005


_____/ On Thu 13 Oct 2005 15:57:17 BST, [ifelse] wrote : \_____

>> Oh, sorry...! My misinterpretation. The only glaring pitfall is that 
>> it covers WordPress only
>
> Actually, Bad behaviour provides cover to any PHP powered site.
> There's a convenient plugin for WP but you can plug it into a non-WP
> site easily.

<snip from site>

...

By default Bad Behavior can provide protection to any PHP script out of 
the box,
but it cannot provide logging. If you are willing to live without Bad 
Behavior’s
detailed logs, simply install the Bad Behavior folder somewhere on your 
server,
and then call require_once("/path/to/bad-behavior/bad-behavior-generic.php");
from your PHP script. I recommend placing this function call in a common piece
of PHP code which is loaded from all parts of your PHP-based software, so that
it can provide protection to all parts of your software.

...

</snip>

Bad Behaviour relies on the fact that requests bubble through
bad-behavior-generic.php if I understand this correctly (having not looked at
it in too much depth). What about static pages (the vast majority of my site)?
Or other methods of dynamic page generation?

You are very right at pointing my gross mistake. Bad Behaviour is not 
WordPress
only, but rather a simplification was made by wrapping it up in a plug-in with
the necessary header and it contains all the necessary files and the rational
progression of steps in the WP main loop.

Bad Behaviour still serves as somewhat of a bubble that needs to be 
called every
single time a destined PHP script is run (with possible optimisations 
like "use
once for each UIP, skip thereafter"). Whereas Apache rules can give a 
long-term
solution, Bad Behaviour will beg for mending every time as upgrade is put in
place. There are a few more issues I can think of...

Cheers,

Roy



More information about the wp-hackers mailing list