05-HARDENING.conf

#
SecRule REQUEST_FILENAME "^/wp\-includes(/.*\.php(|[\/].*)|(|\/))$" "phase:1,id:22200001,\
  t:lowercase,t:normalizePath,t:trim,\
  block,\
  log,\
  rev:'1',\
  severity:'6',\
  maturity:'9',\
  accuracy:'9',\
  ver:'%{tx.wprs_version}',\
  tag:'wordpress',\
  tag:'includes',\
  logdata:'Request Filename %{REQUEST_FILENAME}',\
  msg:'WordPress: /wp-includes access attempt'"

#wp-content/*.txt
SecRule REQUEST_FILENAME "^/wp\-content(/.*\.txt(|[\/].*)|(|\/))$" "phase:1,id:22200002,\
  t:lowercase,t:normalizePath,t:trim,\
  block,\
  log,\
  rev:'1',\
  severity:'6',\
  maturity:'9',\
  accuracy:'9',\
  ver:'%{tx.wprs_version}',\
  tag:'wordpress',\
  tag:'includes',\
  logdata:'Request Filename %{REQUEST_FILENAME}',\
  msg:'WordPress: TXT /wp-content access attempt'"

#wp-admin/ sensitive files
SecRule REQUEST_FILENAME "^/wp-admin/(?:install|includes)" "phase:1,id:22200003,\
  t:lowercase,t:normalizePath,t:trim,\
  block,\
  log,\
  rev:'1',\
  severity:'6',\
  maturity:'9',\
  accuracy:'9',\
  ver:'%{tx.wprs_version}',\
  tag:'wordpress',\
  tag:'includes',\
  logdata:'Request Filename %{REQUEST_FILENAME}',\
  msg:'WordPress: File /wp-admin access attempt'"

SecRule REQUEST_FILENAME "^/(?:readme|license)\." "phase:1,id:22200004,\
  t:lowercase,t:normalizePath,t:trim,\
  block,\
  log,\
  rev:'1',\
  severity:'6',\
  maturity:'9',\
  accuracy:'9',\
  ver:'%{tx.wprs_version}',\
  tag:'wordpress',\
  tag:'includes',\
  logdata:'Request Filename %{REQUEST_FILENAME}',\
  msg:'WordPress: Readme or License file access attempt'"


SecRule tx:wprs_allow_xmlrpc "@eq 1" \
  "phase:1,\
  id:22200013,\
  pass,\
  nolog,\
  skipAfter:END_WPRS_XMLRPC"

SecMarker BEGIN_WPRS_XMLRPC

SecRule REQUEST_FILENAME "^/xmlrpc\.php" "phase:1,id:22200015,\
  t:lowercase,t:normalizePath,t:trim,\
  block,\
  log,\
  rev:'1',\
  severity:'6',\
  maturity:'9',\
  accuracy:'9',\
  ver:'%{tx.wprs_version}',\
  tag:'wordpress',\
  tag:'xmlrpc',\
  logdata:'Request Filename %{REQUEST_FILENAME}',\
  msg:'WordPress: /xmlrpc.php access attempt'"

SecMarker END_WPRS_XMLRPC

SecRule tx:wprs_allow_user_enumeration "@eq 1" \
  "phase:1,\
  id:22200017,\
  pass,\
  nolog,\
  skipAfter:END_WPRS_USER_ENUMERATION"

SecMarker BEGIN_WPRS_USER_ENUMERATION

SecRule REQUEST_URI "(author\=[0-9]+)" "phase:1,id:22200029,\
  t:lowercase,t:urlDecode,t:trim,\
  block,\
  log,\
  rev:'1',\
  severity:'6',\
  maturity:'9',\
  accuracy:'9',\
  capture,\
  ver:'%{tx.wprs_version}',\
  tag:'wordpress',\
  tag:'enumeration',\
  logdata:'Detected on %{TX:1}',\
  msg:'WordPress: User enumeration'"

SecRule REQUEST_FILENAME "^(/wp\-json/wp/v[0-9]+/users)" "phase:1,id:22200033,\
  t:lowercase,t:urlDecode,t:trim,\
  block,\
  log,\
  rev:'1',\
  severity:'6',\
  maturity:'9',\
  accuracy:'9',\
  capture,\
  ver:'%{tx.wprs_version}',\
  tag:'wordpress',\
  tag:'enumeration',\
  logdata:'Detected on %{TX:1}',\
  msg:'WordPress: User enumeration'"

SecMarker END_WPRS_USER_ENUMERATION

SecRule tx:wprs_check_dos "@eq 0" \
  "phase:1,\
  id:22200036,\
  pass,\
  nolog,\
  skipAfter:END_WPRS_DOS"

SecMarker BEGIN_WPRS_DOS

SecRule REQUEST_URI "@rx ^/wp\-admin/(load\-styles|load\-scripts)\.php.*load\[\]\=([^&,]*,){20,}" "phase:1,id:22200039,\
  t:lowercase,t:urlDecode,t:trim,t:normalizePath,t:removeWhitespace,\
  block,\
  log,\
  rev:'1',\
  severity:'6',\
  maturity:'9',\
  accuracy:'9',\
  capture,\
  ver:'%{tx.wprs_version}',\
  tag:'wordpress',\
  tag:'dos',\
  tag:'cve-2018-6389',\
  logdata:'Detected on script: %{TX:1}.php',\
  msg:'WordPress: DoS Attack Attempt'"

SecRule REQUEST_URI "@rx ^/(wp-cron\.php)" "phase:1,id:22200040,\
  t:lowercase,t:urlDecode,t:trim,t:normalizePath,t:removeWhitespace,\
  block,\
  log,\
  rev:'1',\
  severity:'6',\
  maturity:'9',\
  accuracy:'9',\
  capture,\
  ver:'%{tx.wprs_version}',\
  tag:'wordpress',\
  tag:'dos',\
  tag:'cve-2018-6389',\
  logdata:'Detected on script: %{TX:1}',\
  msg:'WordPress: DoS Attack Attempt'"


SecMarker END_WPRS_DOS