안녕하세요. 해외의 스패머들때문에 골머리 앓고 있는 소라토파파 센쇼 입니다.
51개 언어의 버전을 지원하는 워드프레스는 전세계 웹사이트의 24%를 차지하고 있으며, 여기에서 발생하는 하루의 페이지뷰(PV)는 4억9천만이라고 하며, 워드프레스로 만들어진 블로그에서 하루에 달리는 댓글의 수는 18만3천개 이상 이라고 합니다. 워드프레스 4.2는 이 글을 쓰는 현재 34,820,100부가 다운로드 되었으며(워드프레스 4.2 다운로드 카운터) 지금도 계속해서 그 숫자는 증가하고 있습니다.
워드프레스가 이만큼 인기가 좋은 이유는 코딩을 할 줄 몰라도 누구나 쉽게 사이트를 제작 할 수 있고, 확장성과 SEO에 뛰어난 점 인듯 합니다. 그러나 워드프레스 사용자중 스스로 해킹의 위험을 회피하고, 해킹에 대한 피해를 복구할 수 있는 능력을 갖고 있는 것은 얼마나 될까요?
지난 한해동안 워드프레스 사이트 수천개가 해킹당했다고 합니다. 대부분의 해킹은 이러한 능력이 없는 개인 사용자들을 노립니다.
워드프레스는 해외의 플랫폼이기 때문에 필요한 정보가 있을 시 영문으로 검색하는 것이 보다 많은 검색결과를 보여줍니다. 우리가 많이 이용하고 있는 테마나 플러그인 등도 거의 해외에서 개발된 것들이기 때문에 커스터마이징 할 때나 문제 발생시 해당 개발사의 포럼에 질문을 올려야 하는 경우가 많죠.
해당 포럼에 가입하고 프로필 또는 질문 등의 게시글에 사이트 주소를 올린 일이 많아서 일까요? 하루에도 수십, 수백건의 스패머들이 봇(Bot)을 이용해 제 사이트에 회원가입을 해대고 있습니다.
이러한 스팸봇들은 우커머스 상점의 상품들에 스팸성 댓글을 달고, 버디프레스 사이트에 그룹을 생성 하는 등의 스팸질을 합니다.
이미 이걸로 다 만들어놓은 커뮤니티 사이트를 폐쇄한 경험(참고 : 커뮤니티 사이트 제작시 추천 플러그인)이 있는데 또 그러네요 ㅠ.ㅠ 그래서 구글링해서 찾은 국가별 접속 차단 플러그인 Stop Spammers Spam Prevention. 해외 블로그들에서 추천하는 것들중에서 몇몇은 국가차단은 애드온으로 유료로 제공되거나 했는데 이 플러그인은 무료로 사용할 수 있어 설치해 봤습니다.
얼마나 효과가 있을지는 앞으로 두고봐야 겠네요. 옵션부분은 영문 그대로 올려둡니다. 이런 옵션이 있구나 정도로 스팸차단 플러그인 찾으시는분들께서 조금이라도 참고가 되셨으면 합니다.
오늘 소개할 플러그인
스팸 차단 옵션
Prevent Lockouts
This plugin aggressively checks for spammers and is unforgiving to the point where even you may get locked out of your own blog when you log off and try to log back in. There are two options which help prevent this, but these options can make it easier for a spammer to hack your site.
When you are confident that the plugin is working you can uncheck these boxes.
Automatically add admins to Allow List
Whenever an administrative user logs in, the ip address is added to the Allow List. This means that you can’t be locked out unless your IP address changes or you log in from a different location. As soon as a login is successful then the IP is white-listed to prevent future problems. Disable this if you think that you will never be locked out.
Check credentials on all login attempts
Normally the plugin checks for spammers before WordPress can try to log in a user. If you check this box, every attempt to login will be tested for a valid user. This may allow a hacker to guess your user id and password by making thousands of attempts to login. This is turned on initially to prevent you from being locked out of your own blog, but should be unchecked after you verify that the plugin does not think you are a spammer.
Validate Requests
Spam robots do not always follow rules. They don’t provide the proper request headers or are too quick. These items can be quickly checked. These rules are the most economical way of detecting spammers.
Block Spam missing the HTTP_ACCEPT header
Blocks users who have a missing or incomplete HTTP_ACCEPT header. All browsers provide this header. If a hit on your site is missing the HTTP_ACCEPT header it is because a poorly written robot is trying access your site.
Block invalid HTTP_REFERER
When you submit a form, the all browser provide the web page that submitted the form. If this referring page is missing or does not match your website then the submit is probably from a program accessing your site. Some cell phone apps try to log in without the correct header. You may want to disable this function if you log into your website from your mobile device. Test it first – the better written apps provide the referring page.
Deny disposable email addresses
Spammers who want to hide their true identities use disposable email address. You can get these from a number of sites. The spammer doesn’t have to register. He just picks up any mail anonymously. Legitimate users use their real email address. It is very likely that anyone using a disposable email address is a spammer.
Spammers can’t resist using very long names and emails. This rejects these if the are over 64 characters in length.
Check for BBCODES
BBCODES are codes like [url] that spammers like to place in comments. WordPress does not support bbcodes without a plugin. If you have a bbcode plugin then disable this. This will make any comment that has bbcodes as spam.
Check for quick responses
(disabled if caching is active) The plugin will drop a cookie with the current time in it. When the user enters a comment or tries to log into the system, the time is checked. If the user responds too fast, he is a spammer. If cookies are not supported this is disabled. Use the timeout value below to control the speed. (Stops the most spammers of all the methods listed here.)
Response Timeout value: 4. his is the time used to determine if a spammer has filled out a form too quickly. Humans take more than 10 seconds, at least, to fill out forms. The default is 4 seconds. If a user takes 4 seconds or less to fill out a form they are not human and are denied. Users who use automatic passwords may show up as false positives so keep this low.
Deny 404 exploit probing
Robots often search your site for exploitable files. If there is a match to a known exploit URL, this will automatically add the IP address to the Deny List.
Deny IPs detected by Akismet
Akismet does a good job detecting spam. If Akismet catches a spammer then the ip address should be added to the bad IP cache. Akismet will continue to block comment spam, but if there is a login or registration attempt from the same IP it will blocked.
Check for Exploits
This checks for the PHP eval function and typical SQL injection strings in comments and login attempts. It also checks for JavaScript that may potentially be used for cross domain exploits.
Deny login attempts using ’admin’ userid
When a spammer starts hitting the login page with ’admin’ anywhere in the login id and there is no matching user, then it is a spammer trying to figure your password. Deny List immediately. This only works if you have do not have the user using ’admin’ in their login id. It is dangerous to have a user name ’admin’! My sites get thousands of hits from robots trying to guess my admin password. This has the side effect of preventing users from registering with a user id with the word admin in their user name. Users cannot register with ’admin2’ or ’superadmin’ or ’Administrator’.
Check against list of Ubiquity-Nobis and other Spam Server IPs
I have a list of hosting companies who tolerate spammers. They are the source of much Comment Spam and login attempts. This blocks many of them.
Check for major Hosting companies and cloud services
Your users should come from ISPs only. If a request comes from a web host such as Softlayer, Rackspace, or Amazon AWS, it is likely that the the user is a spammer who is running some spam software to attack your site.
Check for many hits in a short time
Deny access when there are comments or logins in less than minutes. Spammers hit your site over and over again. If you get more than 5 hits in 3 minutes, the spammer will be stopped, added to the bad cache and shown the challenge page.
Check for Amazon Cloud
You can block Comments and Logins from Amazon Cloud Servers using this setting. It may be that good services use Amazon Cloud servers so you may not want to use this. Be careful about blocking Amazon. Sometimes you get spam from one of their servers, but they shut it down right away.
Block Countries
This does not block the whole country. It only blocks spam sources in a country
Blocking countries only blocks the know spam blocks from those countries. I make an attempt to not block Residential IPS in countries where spammers are quickly shut down. Blocking US will not block Cox, Verizon, At&t, etc. It will block Hosting companies that send out spam that are located in the US.
Blocking RU will, however, block most of Russia, because Russian ISPs do not shut down zombie computers in residential blocks.
If you block countries make sure that you have set the Challenge to use a Captcha screen so that legitimate users can get into your site even if blocked.
The biggest countries can put a strain on memory. US, Russia, India, Ukraine, Brazil, China, and Indonesia (in that order) are the source or most spam, but they also take up to a half a meg of memory to load. This may slow things a little and in some cases might shut down your blog. I run all of them on SiteGround.com without any issues, but if you are using a free or low budget site to run your blog, there could be a problem.
스패머 가입 차단용 기타 플러그인
BuddyPress(버디프레스)나 멀티사이트에 대응한 보안 플러그인. 계정 등록시나 댓글 투고시의 스플로거나 스패머를 체크해 준다. 또, 아이피(IP)나 도메인 등으로 블록하는 기능도 있다. Wangguard 서버에서 체크하기 때문에 사이트 회원가입후 API키 발급이 필요하다.
이미지 CAPCHA를 사용하여 봇에 의한 일련의 시도를 막아준다.
특정 IP주소 및 구간과 접속국가를 차단 할 수 있다.
