This repository has been archived by the owner on Jan 14, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathwp-rules.conf.j2
133 lines (119 loc) · 4.69 KB
/
wp-rules.conf.j2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# -=[ Rule 22000000: Client IP Address ]=-
# ----------------------------------------
# This rule set the "real" client IP Address. This usually is %{REMOTE_ADDR}
# but when you are behind CloudFlare or a Load Balancer, the user's IP Address
# is inside a header parameter like X-Forwarded-For, or True-Client-IP,
# or CF-Connecting-IP for CloudFlare. See the 01-SETUP.conf file for more information:
#
# set client ip from REMOTE_ADDR
{% if WP_CLIENT_IP == "remote-addr" %}
SecAction "phase:1,id:22000000,nolog,pass,t:none,setvar:tx.wprs_client_ip=%{REMOTE_ADDR}"
{% endif %}
#
# Using CloudFlare:
# Set client ip from CF-Connecting-IP
# ------------------------------------
{% if WP_CLIENT_IP == "cf-connecting-ip" %}
SecAction "phase:1,id:22000000,nolog,pass,t:none,setvar:tx.wprs_client_ip=%{REQUEST_HEADERS:CF-Connecting-IP}"
{% endif %}
#
# Using a load balancer (like DigitalOcean):
# set client ip from x-forwarded-for
# ------------------------------------------
{% if WP_CLIENT_IP == "x-forwarded-for" %}
SecAction "phase:1,id:22000000,nolog,pass,t:none,setvar:tx.wprs_client_ip=%{REQUEST_HEADERS:X-Forwarded-For}"
{% endif %}
# -=[ Rule 22000004: Enable / Disable Brute-force mitigation ]=-
# When wprs_check_bruteforce variable is set to 1, the WPRS will enable all
# brute-force mitigation rules. More information at 03-BRUTEFORCE.conf file.
#
# setvar:tx.wprs_check_bruteforce=1 = brute-force mitigation enabled
# setvar:tx.wprs_check_bruteforce=0 = brute-force mitigation disabled
#
# default: 1
#
{% if WP_ENABLE_BRUTEFORCE_MITIGATION %}
SecAction "id:22000004,phase:1,nolog,pass,t:none,setvar:tx.wprs_check_bruteforce=1"
{% endif %}
# -=[ Rule 22000005: Time Span ]=-
# How many seconds the login counter will be incremented
# on each login attempt on /wp-login.php. For example, if you
# want to increment the login attempt counter for a 10 minutes span:
#
# setvar:tx.wprs_bruteforce_timespan=600
#
# default: 120 (2 minutes)
#
{% if WP_ENABLE_BRUTEFORCE_MITIGATION %}
SecAction "id:22000005,phase:1,nolog,pass,t:none,setvar:tx.wprs_bruteforce_timespan={{ WP_BRUTEFORCE_TIMESPAN }}"
{% endif %}
# -=[ Rule 22000010: Threshold ]=-
# This rule set how many login attempts (inside the time span period) WPRS will accepts before ban.
# For example, if you set this to 10, WPRS will ban the user at the 11th attempt.
#
# setvar:tx.wprs_bruteforce_threshold=10
#
# default: 5
#
{% if WP_ENABLE_BRUTEFORCE_MITIGATION %}
SecAction "id:22000010,phase:1,nolog,pass,t:none,setvar:tx.wprs_bruteforce_threshold={{ WP_BRUTEFORCE_THRESHOLD }}"
{% endif %}
# -=[ Rule 22000015: Ban period ]=-
# This rule set for how long a user will be banned if a brute-force attempt is detected.
# For example, if you want to block a user for 5 mins you'll set this to 300:
#
# setvar:tx.wprs_bruteforce_banperiod=300
#
# default: 300
#
{% if WP_ENABLE_BRUTEFORCE_MITIGATION %}
SecAction "id:22000015,phase:1,nolog,pass,t:none,setvar:tx.wprs_bruteforce_banperiod={{ WP_BRUTEFORCE_BAN_PERIOD }}"
{% endif %}
# -=[ Rule 22000020: Log authentication events ]=-
# This rule enable or disable the logging of authentication events.
# If you enable this, each time a user login on /wp-login.php a log is produced.
#
# setvar:tx.wprs_log_authentications=1 = enables logging
# setvar:tx.wprs_log_authentications=0 = disables logging
#
# default: 1
#
SecAction "id:22000020,phase:1,nolog,pass,t:none,setvar:tx.wprs_log_authentications=0"
# -=[ Rule 22000025: XMLRPC ]=-
# This rule enable or disable access on xmlrpc.php script.
# Usually many users doesn't use the xmlrpc.php but they leave it
# active, and this could lead to a brute-force amplification attacks.
#
# setvar:tx.wprs_allow_xmlrpc=1 = allows reuests to xmlrpc.php
# setvar:tx.wprs_allow_xmlrpc=0 = blocks reuests to xmlrpc.php
#
# default: 1
#
{% if WP_ENABLE_XMLRPC %}
SecAction "id:22000025,phase:1,nolog,pass,t:none,setvar:tx.wprs_allow_xmlrpc=1"
{% endif %}
# -=[ Rule 22000030: User Enumeration ]=-
# This rule enable or disable requests like "/?author=1".
# An attacker could enumerate all active users by incrementing
# the author parameter.
#
# setvar:tx.wprs_allow_user_enumeration=1 = allows request like /?author=1
# setvar:tx.wprs_allow_user_enumeration=0 = blocks request like /?author=1
#
# default: 1
#
{% if WP_ENABLE_USER_ENUMERATION %}
SecAction "id:22000030,phase:1,nolog,pass,t:none,setvar:tx.wprs_allow_user_enumeration=1"
{% endif %}
# -=[ Rule 22000035: DoS Attack ]=-
# This rule enable or disable protection against DoS attacks.
# For example prevent CVE-2018-6389.
#
# setvar:tx.wprs_check_dos=1 = enable DoS protection
# setvar:tx.wprs_check_dos=0 = disable DoS protection
#
# default: 1
#
{% if WP_ENABLE_DOS_PROTECTION %}
SecAction "id:22000035,phase:1,nolog,pass,t:none,setvar:tx.wprs_check_dos=1"
{% endif %}