How to remove URL injection by parameter en masse? - wordpress

My (wordpress) site was recently the victim of an attack...ended up with around 20,000 injected URLs. I've since cleaned up the site completely, plugged all the holes, and have installed further hardened the files, but I'm still left with all these URLs in the google index & a message on Google that says "This site may be hacked" because of all these spammy URLs. It's just not realistic to be able to go through & add them to the Webmasters URL Remove tool. I've heard the best way is to get them to display 404 (or 403) and they'll naturally fall out of the index.
Here's what I'd like to do, but haven't figured out how to do it yet: I'd like to come up with a way to force any URL with a certain parameter to display a 404 or 403. For example, the below URL is a good representation of the URLs that are currently indexed:
http://mysiteurlhere.com/index.php?free-online-games-with-cash-prizes.html&items=2&pidnum=1568
Both "items" & "pidnum" are parameters that are used in every single indexed URL that I've seen. My question is: would it be possible to single out one of those parameters with some sort of .htaccess statement, and block or force the URL to 404?
(note: I did go through the robots.txt to disallow any further URLs with parameters like these from being indexed...I just don't know how to do the .htaccess method)

Try with .htaccess:
RewriteEngine on
RewriteCond %{QUERY_STRING} (?:^|&)items=.*pidnum= [NC]
RewriteRule ^ - [R=404,L]

Related

.htaccess - Combatting String Query Spam, Custom 404 redirect

Been trying to clean up the aftermath of a decode64 content injection hack on multiple sites on my shared server.
It's clean, but now I'm getting links of incoming spam links with query string, like abc.com/?some-stupid-porno-spam/, so even though the content no longer exists, they're still being redirected to the front page. Am ranking for these spam words instead, or google's just saying those are soft-404s for the luckier sites.
Got a solution, but it's temporary. I was advised to add the following to the top of the .htaccess file:
RewriteEngine on
RewriteCond %{QUERY_STRING} .
RewriteRule ^/?$ - [L,R=404]
So, now all links with /? are redirected to a 404. 2 problems:
It's temporary, in that ALL /? queries are thrown to the 404, including wordpress post/page previews. Is there are way to make it such that it only works for non-existent pages?
The 404 points to the webhosts 404. How can I make it such that it goes to the theme's 404 instead?
Thanks for your time!
------ update
So, the above code works great. I can preview posts/pages, but I found there's a problem - it blocks wordpress' WYSIWYG text editor. The 'visual' tab remains blank, and none of the toolbars appear.
Help? lol

domain redirect to a page and rewrite url of landing to keep orgin domain

this it might be easy but I'm not sure how to achieve it (nor if it's actually possible..)
I've made a page in wordpress, with a custom template design, and not linked with the rest of the website, so it's a landing page which actually has nothing to spare with the base website.
I've bought a domain and redirected with a 301 to this page (to pass seo from that page as well).
the problem is that now I'd like to have the url of that page rewritten in order to be the same of the one I've bought, so when landing in that page, viewers won't notice that they are in another domain.
basically I want that a domain like this
my-new-domain.com
which redirects to this page (I've done this)
maindomain.com/landing-page/
and once you're there, the url displayed is:
my-new-domain.com
the page is wordpress, so I need it to keep passing the variables while the url is rewritten.
but I don't need it to handle sub-pages, as the page is a single landing page.
can I do this with an htaccess rule? and if yes, could you please tell me how this rule should ne written?
Thanx to anyone who'll help!
Andrea
You could use mod_rewrite for this
RewriteCond %{HTTP_HOST} my-new-domein.com [NC]
RewriteRule ^ /landing-page [L]
The first rule is the condition, so if the domein (http host) matches your domein the second line get executed, [NC] means no case, so my-new-domain.com and MY-NEW-DOMAIN.com both work
The second rule has 3 parts
^
as another condition (always matches)
/landing-page
that's the page which is passed to wordpress
[L]
means this is the last rule to be executed, handy when multiple rewrite rules at in the .htacess
Edit:
In addition, if you want mydomain.com/landing-page to show it's content but with my-new-domain.com in the url bar use the following to redirect to my-new-domain.com
Redirect 302 /landing-page http://my-new-domain.com

HTTP 404 Redirect

We have a multi-tenant web application where customers can set up custom domains for their site.
When an invalid domain is requested we need to display an error page on a different domain. What is the correct way to handle this? I thought perhaps issuing a 303 to a page on the other site that always returns 404. Will this keep search engines happy?
I am still trying to determine the need for this. As not a lot of information is provided to why its needed. There are many hosts that let users create places for themselves. When any error happens it simply links to the local 404. So why is it needed to go to another domain for 404? As setting a error document 404 with a domain and sub domains. The local 404 is called for all of them. It doesn't just 404 for the main domain, while leaving the sub domains clueless. As for allowing users to set up custom domains I'm guessing that was a typo. And you meant "custom sub domains". Unless that was correct, and its in some way to allow customers to buy hosting packages from you. For which they can sell back to their own customers. If the latter is correct. You would just need to set up their environment correctly. Though I figure you meant sub domain.
ErrorDocument 404 /404.html
There are a few better ways to do the below. Just supplying the quickest.
As for wanting to bounce the 404 to another domain you still can:
In .htaccess do :
ErrorDocument 404 /404.html
In the local 404.html use :
<meta http-equiv="refresh" content="0; url=http://example.com/">
Mind you can use other methods.
First, try to find an application in your control panel on your web host, that will allow you to create an error page. If you're using cPanel, this application is named as Error Pages which heading with Advanced header. After finding this app., now create a file of 404 (Not found) error page. In cPanel, there are specific “Referring URL”, “Visitor’s IP address”, “Requested URL”, “Server name”, “Visitor’s browser” and “Redirect Status Code” tags for this SSI-enabled file, and after saving 404 error page, it will be saved into 404.shtml with an extension for a file that recognized by a web server as an SSI-enabled HTML file. If ever there's no Error Pages app. in your c-panel, try to create an error page manually with .shtml extension if your server is configured to allow this. If it's not allowable or if the file become unreadable, you can still use another extension, but for a web server, it's not recognized as an SSI-enabled HTML file.
The best way is to rewrite and not to redirect all the empty subdomains, into /404.shtml but first, make sure that there's a rewrite engine in your account. Now we will going to rewrite all those subdomains with mod_rewrite. Try to find a .htaccess file in your file manager. That file is often found in the same folder where your index page is located. If there's no file like that, you can create a new one in the folder where your index located. This code must be at the very top of your empty .htaccess source, and DO NOT REMOVE it while testing the following sets of conditions and rules below after this:
Options +FollowSymlinks
RewriteEngine on
And try to paste this directives below the two-lines code above:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
Rewrite ^(.*) /404.shtml
If the directives above didn't work, then try the following below:
RewriteCond %{REQUEST_URI} !-f
RewriteCond %{REQUEST_URI} !-d
Rewrite ^(.*) /404.shtml
However, if you didn't want to redirect those empty subdomains, just add a [R] flag after the file extension of the rule, just don't forget a single space before the flag.
To keep the search engines happy, let the 404 appear to be from the invalid domain by Domain masking. This will prevent accumulating poor reputation owing to too many redirects over time. An occasional redirect to canonical document is good as it means you are practicing DRY(Don't Repeat Yourself) by redirecting to the canonical IRI qualified for search juice. Use meta noindex on the 404 page to prevent search engines from remembering the invalid custom domain IRIs.

Removing index.htm from URL

I have a WordPress blog which is functioning just fine - the URLs are set to Month/Day/Year and everything on the front-end looks and functions fine.
However, when checking my stats and Google Webmaster Tools, there's tons of 404s that look like this:
http://theURL.com/normal-wordpress-url/index.htm
Of course, index.htm does not exist at the end of the WordPress URL, so the search engine is given a 404.
I have no idea what's causing this, as everything works fine for humans.
So basically, I need a way to tell search engines to forget about the index.htm at the end of the URL.
I've tried this in the .htacess with no luck:
RewriteCond %{REQUEST_URI} /index\.htm?$ [NC]
RewriteRule ^(.*)index\.htm?$ "/$1" [NC,R=301,NE,L]
Does anybody have any suggestions?
Maybe there are different problems in here that may need solution:
Problem 1: If the crawler is the one pointing to this page there are two things that you might need to do:
Try to go to Webmaster and delete "index.htm"
Try to create a robot that will disallow "index.htm" from being seen on Google Crawler.
Problem 2: If you have distributed your urls to point to this url, Google Webmaster can tell you which webpage it is coming from exactly.
So, try to make sure that all the links pointing to "index.htm" are removed from all other urls.

.htacces - moving all posts in root to a new category

Could anyone please help me? I am at the last chance saloon and losing a lot of traffic. Any help would be greatfully received.
After a year based on my permalink structure, all posts were in the root so have been picked up by Google as:
snowmenu.com/postname
Since changing my categories and permalink structure, I need the years worth of posts on Google to be redirected to:
snowmenu.com/ski-snowboard-winter-sports-news/postname
Is there a way to make this happen via .htaccess?
Thank you very much to anyone who's able to help me.
Just had a look at the website and I am afraid from my knowledge their is no easy way to do this type of forwarding with .htaccess.
This is because there is no way to tell the difference in link structure from a "normal link" like (eg http://www.snowmenu.com/ski-resorts/) and what you want to be redirected to (eg http://www.snowmenu.com/ski-snowboard-winter-sports-news/latest-ski-news/). If you redirect all requests you will end up having links like http://www.snowmenu.com/ski-snowboard-winter-sports-news/ski-resorts/ which if I am right is not desirable?
The long solution would be to create a htaccess redirect for EVERY URL.
The only other solution that comes to mind is using PHP (or simular) to do a redirect within your 404 document.
EDIT
This will redirect ALL requests to the page you want. But as I said before I dont think this is what you want?
RewriteRule ^(?!ski-snowboard-winter-sports-news)(.*)$ /ski-snowboard-winter-sports-news/$1 [L,R=301]
EDIT 2
Having given it some thought I think I have have come up with a viable option. This will check to see if the requested file exists, if so it will redirect to your new directory (in theory :P).
RewriteCond %{DOCUMENT_ROOT}/ski-snowboard-winter-sports-news/$0 -f
RewriteRule ^(.*)$ /ski-snowboard-winter-sports-news/$1 [R=301,L]
You can use this plugin to avoid messing with .htaccess file directly:
http://wordpress.org/extend/plugins/redirection/
It has a nice interface for you to configure the redirection rules.
The plugin mentioned by #Wordpress Hardcore works best.

Resources