Friendbg · March 30, 2018 06:21 · uhlhosting · Jul 19, 2022 · Friendbg · Jul 21, 2022
diff --git a/modsecurity-wordpress b/modsecurity-wordpress
 #Block WP logins with no referring URL
 <Locationmatch "/wp-login.php">
 SecRule REQUEST_METHOD "POST"  "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'"
 SecRule &HTTP_REFERER "@eq 0"
 </Locationmatch>

 #Wordpress Brute Force detection
 SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
 <Locationmatch "/wp-login.php">
 # Setup brute force detection.
 # React if block flag has been set.
 SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
 # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
 SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
 SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
 SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=900,setvar:ip.bf_counter=0"
 </locationmatch>
 #900 = block for 15 minutes

 # check bots by user agent and match to included file
 # block bad bots
 #SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/apache2/conf.d/blackbots.txt" "id:980001,rev:1,severity:2,log,msg:'Bot Rule: Black Bot detected.'"

 #XMLRPC block
 SecRule REQUEST_LINE "POST .*xmlrpc.*" "pass,initcol:ip=%{REMOTE_ADDR},setvar:ip.maxlimit=+1,deprecatevar:ip.maxlimit=1/600,nolog,id:350201"
 SecRule IP:MAXLIMIT "@gt 10" "log,deny,id:350202,msg:'wp-xmlrpc: denying %{REMOTE_ADDR} (%{ip.maxlimit} connection attempts)'"
	#Block WP logins with no referring URL
	<Locationmatch "/wp-login.php">
	SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'"
	SecRule &HTTP_REFERER "@eq 0"
	</Locationmatch>

	#Wordpress Brute Force detection
	SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
	<Locationmatch "/wp-login.php">
	# Setup brute force detection.
	# React if block flag has been set.
	SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
	# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
	SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
	SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
	SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=900,setvar:ip.bf_counter=0"
	</locationmatch>
	#900 = block for 15 minutes

	# check bots by user agent and match to included file
	# block bad bots
	#SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/apache2/conf.d/blackbots.txt" "id:980001,rev:1,severity:2,log,msg:'Bot Rule: Black Bot detected.'"

	#XMLRPC block
	SecRule REQUEST_LINE "POST .xmlrpc." "pass,initcol:ip=%{REMOTE_ADDR},setvar:ip.maxlimit=+1,deprecatevar:ip.maxlimit=1/600,nolog,id:350201"
	SecRule IP:MAXLIMIT "@gt 10" "log,deny,id:350202,msg:'wp-xmlrpc: denying %{REMOTE_ADDR} (%{ip.maxlimit} connection attempts)'"