Weekly update – 31 March 2023

[ryan]

There are several updates on the dev branch this week (commit log), including issue fixes, feature additions and minor class improvements. One of the updates I'd planned to add this week was moving InputfieldTinyMCE into the core. However, I noticed that TinyMCE was up to version 6.4.1 now and we were still running 6.2.0, so I decided instead to upgrade ours to the latest and test it out for another week in its own repository. If all continues to work well, I'll likely commit it to the core in 3.0.215. If you have a chance to test the latest version of InputfieldTinyMCE, please do, and open an issue report if you run into any trouble. 

Last week the Wire Request Blocker module was released in the ProDevTools board and this week we have version 2, which includes several new additions:

• Added support for blocking groups.
• Added configurable settings for immediate block (rather than just a strike) for URLs and user agents.
• Added support for using RequestBlocker in other applications (like we use it here in IP.Board).
• Added a feature were you can manually test URLs or user agent strings to see how they match your rules.
• Added a configuration setting so you can choose whether or not to use a log file.
• Added a section to the docs on how to block URLs from your .htaccess file.

As I wrote this post, the processwire.com site is getting hounded with dozens of IPs trying to locate backup or database zip/rar/tar/gz files, using every possible combination of filenames and extensions you can think of, including those that include the term "processwire". Remember to never leave backup files or DB dump files accessible by URL lying around on your server, because they will get eventually found. Adding these rules (below) to WireRequestBlocker's URL matching rules seems to mostly stopped those DB/backup hunting bots:

/ba=/backups/|/backup/|/bak/|/back/
.txt=credentials.txt|backup.txt|password.txt|passwords.txt
.sql=.sql.gz|.sql.tar|backup.sql|dump.sql|db.sql|database.sql|mysql.sql|.com.sql
.tar=.tar.gz|.tar.sql|dump.tar|backup.tar|bak.tar|website.tar|backup.tar|www.tar
.zip=backup.zip|bak.zip|.com.zip|well-known.zip|index.zip|public_html.zip|website.zip|dump.zip|wallet.zip|application.zip
.rar=bak.rar|website.rar|backup.rar|www.rar
.gz=website.gz|bak.gz|backup.gz|.com.gz
/old/

WireRequestBlocker only knows its rules and doesn't know who's real and who's a bot, so be careful not to hit URLs containing those strings on this site or it might hit you with nothing but 403's for a few hours. ? Next week is Spring Break here, so I'll likely be on a reduced schedule with kids home from school. Thanks for reading, have a great weekend! 

+75 more blocks (not shown)