lots of 404 site lock-outs (thanks Apple)

I protect my WordPress sites with the ‘Better WP Security‘ plugin, which seems to do a fantastic job. I especially like the automatic site lock-out for too many bad login attempts or bad file requests. The occasional email notification telling me that someone will be blocked for ‘x’ number of days, due to ‘x’ is quite reassuring. I usually look up their IP to see which armpit of the world these ‘would be’ saboteurs are in too.


Recently though I started noticing the IPs of local people getting locked out, really local, like the same street as the shop which the site was for, which got me doing some investigating. All of these local lockouts were due to too many attempts to access files that didn’t exist, so I checked the logs and what I found was really annoying.

Lots and lots of these…

apple-touch-icon-precomposed.png – 404 – not found
apple-touch-icon.png – 404 – not found

There was no way I’d put those links into any of the sites, so why so many requests? After a quick search and finding this post on Stack Overflow all was explained. It’s all Apple’s fault!

It appears that anyone who’d added a of the site to their home screen caused the device to request a number of PNG icons that didn’t exist. In some cases the repeated attempts to access bad URLs were detected as potential threats (someone searching for vulnerabilities) by Better WP Security and the IP addresses of those people were locked out of the site.

The solution? Well once again we must bend to the mighty Apple’s will and give it one of these PNG icons to use. Except given that a large proportion of my sites run from WordPress multi-site installations just dumping a PNG into the site root won’t work, it certainly wouldn’t allow a different icon for each site. I got around this with a single line dropped into each theme…

<link rel=”apple-touch-icon” href=”<?php echo get_template_directory_uri(); ?>/images/fav.png”/>

Hopefully by telling Apple to use the fav icon that’s there anyway, it won’t bother requesting the other files and there won’t be so many 404’s in the error log.

I have had this in place for a week and there hasn’t been any ‘false positive’  lock-outs as far as I can tell. The 404 logs don’t show any requests for the ‘apple-touch-icon.png’ files either. So mission accomplished? Hopefully.

[Update 27.03.2014]

Better WP Security is now ignoring 404’s to the apple icon files and a few others by default in the latest releases.

// Matt

Leave a Reply

Your email address will not be published.