Fooled isit.pw

[Valery]

Hey everybody,

Many of us know about isit.pw, the web site that checks if you are running PW. I thought I should find out how it knows whether a web site is ProcessWire-powered.

Turns out, it sends a "GET /?it=/trash/ HTTP/1.0" request, and if the response is 200, then PW it is.

Next thing I did was to go to admin templates and change the default behavior such that ProcessWire would through back a 404 instead of offering to log in.

Now, isit.pw does not like me for "not running" ProcessWire. However, I liked the method isit.pw uses. It can be handy if you want to run a quick check like this:

http://<...>/<some_page_name/?it=/

If you get the Home page, it means you've hit a ProcessWire-powered web site.

Have a good Friday and a nice week-end

[hdesigns]

Thank you! Even though I love pw and want my customers to know that they use pw I like it more when guests don't know the cms I'm running.

Your approach seems to accomplish exactly that need.

Could you please post a more in-depth tutorial how you managed to through back a 404 on that specific request?

[Valery]

No problem. It's done in just two steps.

Assuming you are logged in with administrative rights:

1. Go to Setup -> Templates. Click "Filters", then set "Show system templates" to Yes. Click the "admin" template in the list.

2. On the "Edit template" page click the tab "Access" and scroll down to "What to do when user attempts to view a page and has no access?". Select "Show a 404 Page" instead of "Show the login page".

Save your admin template settings and you are done!

This setting works for any template, not just admin templates.

I attach a couple of screenshots to illustrate the above two steps. Hope it helps you.

P.S.: If you want to go a little bit paranoid, I suggest playing with request handling such that GET requests with ?it=  in them would be handled differently. 

[apeisa]

There are many ways of finding out whether site runs on pw or not. That is just one of those. Pw doesn't try to hide it's existence.

Isit.pw is done to help maintaining the sites section on this site easier. So intentionally hiding your site just for this tool might make your approval process longer

[Valery]

Oh boy, that got me in trouble

Just in case anyone's interested how to block a request containing "?it=", here's a short rule for nginx:

if ($request_uri ~ .*.\?it.*) {
          return 404;
}

If is evil. Hiding ProcessWire from isit.pw is even worse. Tread the path of eeevil 

[netcarver]

I just tried Valery's first method of editing the admin template to give a 404 to unprivileged users and could then no longer access the login page from a second machine even when using the correct login page url.

Fortunately I was still logged in as superuser on my dev box and changed it back. Looks like editing the .htaccess or nginx config might be a safer way to go.

[teppo]

Turns out, it sends a "GET /?it=/trash/ HTTP/1.0" request, and if the response is 200, then PW it is.

Almost. There's also an additional check to see if the returned page contains certain traces of ProcessWire. Simply checking the return code wouldn't be enough here

 

Now, isit.pw does not like me for "not running" ProcessWire.

For the record, isit.pw includes roughly a dozen methods for checking if a site is running ProcessWire. In many (most) cases it can still identify your site, even if that one check fails.

I should probably mention that isit.pw (which is my project) is both a functional tool (as Antti explained earlier) and an experiment; "can you properly identify a site running ProcessWire or not?" I'm also planning to add an info section later, including details on hiding your ProcessWire-ness from humans and services like isit.pw equally

[Valery]

Hey guys,

Please, please read netcarver's warning before making changes to the 'admin' template settings. Changing access for non-logged in users from login prompt to http 404 may effectively block you from logging in!

If you have locked yourself out (like I just did), do the following:

- Log in to phpMyAdmin.

- Find the 'pages' table, then Browse it and find the Id of the page named 'login'. Mine was 23 and I did not change the default settings.

- Then go to the table 'templates', find the line with name=admin and edit it. Add 

, "redirectLogin":23

to the array (assuming that 23 is the id of the login page).

Save (press "Go"). Now you will be able to access your admin login prompt.

I attach a screenshot, so that should be pretty clear.

[Mike Rockett]

Something strange is going on with my most recent site, uitkoms.org.za. trash is returning a 404, but I haven't set anything to make it do that.

Two things worth noting: my admin URI is not processwire, and I did rename index.php. Surely that can't make a difference?