[wp-hackers] wp-denyhost

Volkmar Seifert vs at nifelheim.info
Fri Apr 18 18:15:07 GMT 2008

Hello all.

After reading the whole thread, here now my two cent and thoughts on the

First of all, I think that this plugin is a great idea. I am using
something  like that (with a similar name ;) ) for protecting my sshd.

The usage of .htaccess-files limits and binds you to apache. But there are
alternative and mostly even more efficient web-servers around, and many of
them don't bother with .htaccess-files. Relying on these files it a very
bad behavior for a "program" that is written in a language like PHP which
implies a certain independence of architecture and system. Especially when
talking about software like web-servers, the freedom of choice should be
encouraged, and I do not talk about the freedom of choice about using or
not using the plugin, but the freedom to use any web-server I want or

Myself, I am using lighttpd as a webserver, and it doesn't care about
.htaccess. There are no possibilities of on-the-fly blocking by using any
kind of server-configuration-file that is read upon access to a certain
directory. lighttpd reads its config upon startup, and then never again.
This approach has advantages as well as disadvantages and might be
discussed elsewhere, but considering the current discussion-thread,
webservers like this should not be ignored. Especially, when thinking
about high-load web-servers, which very often use alternative web-servers.

These web-servers are left with two choices:
 - Using PHP for blocking, which would work on any web-server supporting
 - using /etc/hosts.deny for those, who use tcpwrappers, which are probably
   only a few.

For those servers who can make use of /etc/hosts.deny, a way needs to be
found to access that file, since hopefully the web-server- and
php-processes are not allowed to do that. A separate daemon could this,
which would have the responsibility of removing the addresses again,
whenever they approach the "ttl". This would even be faster than the
.htaccess-method, as hosts.deny would result in a "connection refused"
message - as if there would be no server listening on the requested port.

For those requiriung the use of PHP for blocking, a lightweight-script
should probably be used, as it has already been discussed in this thread.

Some ideas for such a lightweight-script:

- To avoid the php-parser to run, one can use a php-accelerator like xcache.
  It caches the compiled version of a php-script and uses that whenever it
  is accessed without being changed on disc in-between. As it is a
  php-plugin, it works transparently on any web-server-software.

- Having several php-processes already in-waiting for serving request, e.g.
  by using something like fastcgi or similar

- Using memcached for storing the ip-adresses.
  memcached can be used to store and retrieve the ip-addresses faster as a
  database, and it has the advantage of sitewide-availability, which is a
  bit more difficult to achieve by direct database access. While this is
  irrelevant for a standard WordPress installation, WordPress MU
  installations would benefit from quite a lot.
  To ensure the lightweightness, the connection-information for the
  memcached-access could be needed to be provided directly into given
  variables in the first few lines of the script.
  This, of course, needs to be sufficiently documented in the install-docs,
  and could only be done by a site-admin.

- Volkmar


More information about the wp-hackers mailing list