How to Block and Deny “app/invokefunction” Search Phrase.

Is your WordPress website visited by bots using your website’s search feature using any phrases below?

• /Index/\think\app/invokefunction
• /aa/bb/name/${@print(md5(chaonan))}
• /Index/\think\Container/invokefunction
• /user/\think\app/invokefunction
• admin/\think\app/invokefunction
• api/\think\app/invokefunction
• index/\think\app/invokefunction
• index/\think\Container/invokefunction
• \think\app/invokefunction

Don’t panic or fret, though. In this step-by-step tutorial, I will guide you through denying and disallowing these search phrases that threaten your WordPress website’s security.

We will address search phrases like “/Index/\think\app\invokefunction” and other related variations. I’ll also share a few tips and tricks for blocking and securing your WordPress website from dangerous search phrases.

Understanding these search phrases and their potential risks is crucial to protecting your website from hacking attempts and vulnerabilities.

Are you ready?  Then, let’s get started!

Understanding the Search Phrases and Their Meanings.

I first encountered each search phrase when I noticed a spike in traffic in Google Analytics.  Based on this discovery, I began searching my WordPress logs and discovered many daily searches and related searches.

After several unsuccessful attempts at finding the correct information through Google searches, I eventually stumbled upon the ThinkPHP framework.

ThinkPHP is specifically designed to facilitate agile web application development and streamline the process of creating enterprise applications. It is an open-source PHP framework developed and maintained by Shanghai Topthink Company and is released under the Apache2 open-source protocol.

Hackers either assume your website operates in a web environment that hosts or runs or is conducive to ThinkPHP.  So, away hackers go banging against your website’s search feature to hack your website via ThinkPHP or in an attempt to install ThinkPHP and then hack your website.

/Index/\think\app\invokefunction

The search phrase “/Index/\think\app\invokefunction” is linked to a potential security breach using the ThinkPHP framework. This phrase aims to exploit the framework’s vulnerabilities, which could compromise your website’s security.

/aa/bb/name/${@print(md5(chaonan))}

Now, let’s talk about “/aa/bb/name/${@print(md5(chaonan))}“.  Not certain that this phrase is associated with ThinkPHP, but this search phrase is quite malicious as it attempts to execute arbitrary code by injecting a command that prints the MD5 hash of “chaonan.” Such attempts clearly indicate an attack on your website’s security!

/Index/\think\Container\invokefunction

Moving on, we have “/Index/\think\Container\invokefunction.” This search phrase is similar to the first one we discussed and explicitly targets the ThinkPHP framework. The objective here is to invoke a function within the framework’s container, which can lead to unauthorized access and potential security risks.

Several variations of the initial search phrase.

Lastly, we have several variations of the initial search phrase, including “/user/\think\app\invokefunction,” “admin/\think\app\invokefunction,” “api/\think\app\invokefunction,” “index/\think\app\invokefunction,” “index/\think\Container\invokefunction,” and “\think\app\invokefunction.” These variations also indicate repeated attempts to exploit the ThinkPHP framework by invoking functions or accessing specific directories.

Understanding the meanings behind these search phrases is crucial because it allows us to recognize potential security threats and take appropriate action to protect our WordPress websites.

In the next section, I’ll share how you can disallow these search phrases from being searched on your website, ensuring an extra layer of security.

Implementing Security Measures

I’ve encountered various ways to handle WordPress vulnerabilities, threats, and exploits of this type.  I’ll share with you the following solutions: .htaccess and functions.php.

Block dangerous search phrases using .htaccess

For this solution, be sure you have access to your web hosting environment’s cPanel.  You must locate and modify the .htaccess file in your WordPress installation to block these dangerous search phrases. To do so, follow these steps:

1. Access your website’s root directory via FTP or the file manager provided by your hosting provider.
2. Locate the .htaccess file. If it doesn’t exist, create a new file and save it as “.htaccess” (without the quotes).
3. Open the .htaccess file in a text editor and add the code snippet below (or go here).
4. Save the changes to the .htaccess file.
5. And if needed, upload the modified .htaccess file to your website’s root directory, replacing the existing file if necessary.

RewriteEngine On
RewriteCond %{QUERY_STRING} (Index|Container|app)%5C [NC,OR] RewriteCond %{QUERY_STRING} (admin|user|api|index)%5C [NC] RewriteRule ^ – [F]

Block dangerous search phrases using functions.php

In addition to modifying the .htaccess file, you can further enhance the security of your WordPress website by adding a PHP code snippet that uses your theme’s functions.php file.

For this solution, be sure you have access to your web hosting environment’s cPanel or that your WordPress admin area has the Theme Editor enabled.

If you’re using your web hosting provider’s cPanel option, then navigate using your web browser to the File Manager and the public_html folder for your given website, and then navigate to your active theme for your website (e.g., /wp-content/themes/your-theme/functions.php).

It’s important to note that you may want to create a child theme so that any updates you make to functions.php is not overwritten with regular WordPress and theme updates.  Use the WordPress Handbook to create your child theme.

If you already have a child theme, then locate the functions.php file.  OR, if you want to live dangerously and update the parent theme’s functions.php file and remember to make backups of the code snippet before updating, then locate the functions.php file and add the following content:

function block_search_phrases() {
    $blocked_phrases = array(
        "/Index/\think\app\invokefunction",
        "/aa/bb/name/${@print(md5(chaonan))}",
        "/Index/\think\Container\invokefunction",
        "/user/\think\app\invokefunction",
        "admin/\think\app\invokefunction",
        "api/\think\app\invokefunction",
        "index/\think\app\invokefunction",
        "index/\think\Container\invokefunction",
        "\think\app\invokefunction"
    );
    
    $request_uri = $_SERVER['REQUEST_URI'];
    
    foreach ($blocked_phrases as $phrase) {
        if (strpos($request_uri, $phrase) !== false) {
            wp_die('Access denied!', 'Forbidden', array('response' => 403));
        }
    }
}
add_action('init', 'block_search_phrases');

In addition, the following solution is an alternative option should the previous not prove successful for you:

add_filter( 'pre_get_posts', 'rlv_block_search' );
function rlv_block_search( $query ) {
    if (!empty($query->query_vars['s'])) {
        $blacklist = array( 'index/thinkapp/invokefunction', '/index/thinkapp/invokefunction', '1 1 1 1', '||||', 'home/thinkapp/invokefunction', '/home/thinkapp/invokefunction', 'captcha', 'javascript', 'script'); // add blacklist entries here; no need for whole words, use the smallest part you can
        foreach( $blacklist as $term ) {
            if( mb_stripos( $query->query_vars['s'], $term ) !== false ) exit();
        }
     }
}

Once you’ve added the PHP code snippet to your functions.php file, don’t forget to save your changes. 😉

That’s it! The PHP code snippet will now deny access to URLs containing the blocked search phrases. This extra layer of protection adds another line of defense against potential security threats.

Conclusion

By following these steps, you’re well on your way to effectively blocking and disallowing the mentioned search phrases from being processed by your WordPress website. Whether you use the .htaccess file or add the PHP code snippet to your functions.php file, either solution provides a robust defense mechanism to safeguard your website from potential hacking attempts.

Stay vigilant, keep your WordPress installation and plugins up to date, and enjoy this enhanced security solution to keep your website safe and secure. Thanks, and that’s all for now!