404

Drupal Logo

Drupal 9: Blocking Common Exploit Paths

27th June 2021 - 11 minutes read time

If you run a Drupal site for any length of time you will quickly realise that a few paths that have nothing to do with Drupal will receive a lot of traffic. All of these paths result in page not found errors so the only impact is taking up your server resources. It's common to see paths like wp-login, xmlrpc.php, phpBB/page_header.php, postnuke/article.php, as well as a multitude of others. These requests are clearly bots probing the site to see what sort of CMS is in use and if they can exploit it or not.

It's a bit of a shame that the internet is like this, but it's just one of the things you need to be aware of when managing a website. Users, and more often, bots, will continuously probe your site and servers for exploits. This is why you need to have firewalls and ensure your software is up to date as people are only too willing to crack your site and expose your data.

Drupal Logo

Drupal 9: Preventing Enumeration Attacks

29th January 2021 - 19 minutes read time

A recent Wired article about the Parler data hack talked about how a hacker group was able to steal publicly available information from the Parler website using an Insecure Direct Object Reference (IDOR) or enumeration attack. This type of attack involves a hacker looking at the structure of the site and attempting to guess the next available resource by looking at the URL. Apparently, terabytes of Parler's data was downloaded by simply enumerating through the ID's of their publicly available posts.

PHP Logo

Creating A 404 Page In PHP

2nd April 2008 - 2 minutes read time

Setting up a 404 page on your site will help users when they navigate to a page that doesn't exist. Rather than dropping them into a scary server message you can give them a nice friendly error page. The first step is to make sure that if the user generates a 404 error they are given a nice page. Add this line to your .htaccess file.

ErrorDocument 404 404.html

Now when a user hits a non existent page they will see you nice error page. However, you sometimes will want to produce a 404 page when the server doesn't give out a 404 error, for example, if you have the following URL.