A Denial-of-Service (DoS) attack from Facebook?

The other day I got an automated alert from our managed WordPress hosting service, notifying me of an issue with resource exhaustion for a virtual site. Upon closer inspection, I discovered that the adversary was not your everyday aimless botnet, but something darker, and far more sinister.

Migrating from WordPress to Hugo

In preparation for my move from WordPress to Hugo, I read a few blog posts on the subject to make sure I wouldn’t run into a brick wall. After all, Google had already indexed over 3000 posts covering the subject in detail so what could possibly go wrong?

A digital ocean of bots

Last week I noticed yet another ongoing brute-force attack against our managed WordPress hosting. The botnet is very low key and each bot connects on average only once per day. Up until now, I’ve collected in the ballpark of 3100 unique bots.

An insignificant WordPress brute-force attack

Earlier this week I noticed a minor brute-force attack against our managed WordPress hosting. The attack lasted for 72 hours and deployed around 2000 unique bots. The botnet attempted on average 100 logins per hour while rotating bots to avoid triggering our automatic defense systems.

Abandoning the Gutenberg ship

Even though I really enjoy the new Gutenberg experience from a content creator’s point of view, I’ve come to the conclusion that it’s not the right editor for me. My dear Gutenberg, it’s not you, it’s me.

Validating HTTP requests using Apache's THE_REQUEST variable

I’m currently experimenting with a few rule conditions to explicitly whitelist the resources I want clients to be able to retrieve on my server. The initial target for this exercise was my onion site which has an issue with misbehaving (poorly written) Tor bots, but I thought it would be fun to extend the experiment to paranoidpenguin.net.

How to configure WordPress as a Tor hidden service

I decided I wanted to host my WordPress installation as a hidden service on Tor instead of backporting all my existing content to Hugo. I previously ran Hugo on my onion site and even though I still want to make that move eventually, for now, I’m sticking with what I already know. Besides, putting arguably the worst content management system ever invented on the dark web seemed like a fun venture.

Every single WordPress tag is returning a 404 error

That tag “stuff” is not working on our corporate website, please fix asap the costumer complained. Sure, will do immediately I replied confidently, believing this to be a simple matter of purging some old cache or refreshing permalinks. Sadly that was not to be the case so I ended up having to get my hands dirty. To my absolute horror, the site was running one of those godawful themeforest themes.

The WordPress Attachment Page redirect loop

Looking through my server logs I noticed how Baidu’s web spider was causing an unexpected redirect loop while trying to index an image attachment page. Since I deliberately redirect all attachment page requests to the actual post owning the attachment, I decided to take a closer look. The following request triggered the loop: