Bob's Guides

ReflectBlock Plugin Tutorial

If you use this extra and like it, please consider donating. The suggested donation for this extra is $5.00, but any amount you want to give is fine (really). For a one-time donation of $50.00 you can use all of my non-premium extras with a clear conscience.

Overview

The ReflectBlock plugin for MODX Revolution blocks, and logs all requests that contain the word "reflect". Users trying to find any file with the word "reflect" in the URL, will get a 403 - Forbidden error and a message telling them that the reflect snippet does not exist at the site.

When examining the log, you'll see would-be evildoers looking for versions of the old reflect snippet, a minor security vulnerability in older versions of MODX. The requests are harmless, since the reflect snippet does not exist on any Revolution sites, but it's annoying to see them sucking bandwidth trying to find it. Once you know who they are you can block them in .htaccess. The log is also useful in seeing what requests get past any rules in the .htaccess file.

It is much faster and more efficient to block the requests in the .htaccess file, but this plugin will do the job for those who either don't have access to the .htaccess file or aren't comfortable altering it.

The plugin will not slow down your site because it only executes when a request fails and a page-not-found requests is issued.

Note that if you have an Adsense site, every reflect request will be followed by one or more visits from the GoogleBot looking for the same URL. You'll also see the GoogleBot failing to find the unpublished report pages when you access them.

You can prevent some of that with these lines in your robots.txt file. Adjust the file suffix as necessary based on the configuration of your site.

User-agent: Mediapartners-Google*
Disallow: reflect-block-log-report.html

Installing ReflectBlock

Go to System | Package Management and click on the "Download Extras" button. Put "ReflectBlock" in the search box and press "Enter". Click on the "Download" button next to ReflectBlock on the right side of the grid. Wait until the "Download" button changes to "Downloaded" and click on the "Finish" button.

The ReflectBlock package should appear in the Package Manager grid. Clock on the "Install" button and respond to the forms presented. That's it. Once the install finishes, logging will begin immediately. The ReflectBlock plugin will be installed and active, and you'll get the snippet/resource pairs that will let you view the log created by the plugin.

The Log

When a "reflect" page is requested, an entry is written to the reflctblock.log.log file (inside the logs/ directory below the MODX core directory). The misspelling is intentional — without it, you'd be prevented from viewing the log. You'll see the same misspelling (for the same reason) in the alias of the resource that shows the log. The log entry will include the IP of the visitor, the Host of the visitor, the time of the visit, the user agent, and the request itself.

Remember that there will be an entry for every reflect request, so there may be a lot of duplicates. The log is limited to 300 entries by default. You can set a different limit with the &log_max_lines property. New entries will be added at the top and old ones will scroll off the bottom. You can also edit the file on the Files tab in the Manager (core/logs/reflctblock.log), delete the contents, and save the empty file to start a new log.

If you have the ReflectBlock plugin and the LogPageNotFound plugin enabled, you won't see the various reflect requests in the Page Not Found log. If the ReflectBlock plugin is disabled or not installed, you'll see plenty of them if your site contains the word "MODX" or is otherwise identifiable as a MODX site.

Properties

At present, the only settable property for the ReflectBlock plugin is &log_max_lines, which sets the maximum number of entries in the log. The default value is 300.

The ReflectBlockLogReport snippet has two properties: &table_width (to set the width of the table) and &cell_width (to set the width of each cell). Feel free to adjust them to meet your needs. Set them in the snippet tag on the Reflect Block Log Report page.

Reports

The report snippet and the resource to execute it are included in the package. The Reflect Block Log Report resource is unpublished and hidden from menus by default, but you can still view the log by previewing that resource from the Manager when you are logged in as a Super User.

Caution

If you see serious repeat offenders in the log, you can block them by IP with code like this in your .htaccess file (using their actual IPs):

order allow,deny
deny from 127.0.0.2
deny from 127.0.0.3
deny from 127.0.0.4
allow from all

Blocking users in the .htaccess file is extremely fast and it stops the users dead before they even reach the site. It's not all that practical, however, since people can spoof IPs, there are zillions of evildoers out there, and the request can be from an IP that might later be assigned to a legitimate user. Be sure to note the host before adding an IP block. You don't want to block the GoogleBot or yourself. The User Agent can be helpful here, but many evildoers will fake the User Agent and pretend to be the GoogleBot.

In many ways, it's safer to block users with redirect rules based on what they are looking for. This will block almost all reflect requests:

RewriteCond %{REQUEST_URI} reflect [NC,OR]
RewriteCond %{QUERY_STRING} reflect [NC]
RewriteRule .* - [F,L]

Include the "OR" directive on every condition but the last. Before adding the lines to the .htaccess file, make sure that no alias on your site contains the word "reflect".

You should *always* back up your .htaccess file before making any changes! If there are errors in the .htaccess file, all visitors to your site may get a server 500 error.

Copyright © 2011-2024
Bob Ray