This ruleset extends the OWASP CRS (https://github.com/SpiderLabs/owasp-modsecurity-crs) and includes specific rules in order to protect the most critical aspects of the famous WordPress CMS.
just clone this repository with git clone https://github.com/theMiddleBlue/wordpress-modsecurity-ruleset.git
This rule set is intended to be used with the OWASP CRS3. You just need to clone this repository and then includes it in your modsecurity.conf:
...
Include wordpress-modsecurity-ruleset/*.conf
Optionally you can change the default behavior as described in the 01_SETUP.conf file:
...
SecAction "phase:1,id:22000000,nolog,pass,t:none,setvar:tx.wprs_client_ip=%{REMOTE_ADDR}"
SecAction "id:22000004,phase:1,nolog,pass,t:none,setvar:tx.wprs_check_bruteforce=1"
SecAction "id:22000005,phase:1,nolog,pass,t:none,setvar:tx.wprs_bruteforce_timespan=120"
SecAction "id:22000010,phase:1,nolog,pass,t:none,setvar:tx.wprs_bruteforce_threshold=5"
SecAction "id:22000015,phase:1,nolog,pass,t:none,setvar:tx.wprs_bruteforce_banperiod=300"
SecAction "id:22000020,phase:1,nolog,pass,t:none,setvar:tx.wprs_log_authentications=1"
SecAction "id:22000025,phase:1,nolog,pass,t:none,setvar:tx.wprs_allow_xmlrpc=0"
SecAction "id:22000030,phase:1,nolog,pass,t:none,setvar:tx.wprs_allow_user_enumeration=0"
Include wordpress-modsecurity-ruleset/*.conf
Rule 22000000: Client IP Address. This rule set the "real" client IP Address.
This usually is %{REMOTE_ADDR}
but when you are behind CloudFlare or a Load Balancer,
the user's IP Address is inside a header parameter like X-Forwarded-For, or True-Client-IP,
or CF-Connecting-IP for CloudFlare. See the 01-SETUP.conf
file for more information:
SecAction "phase:1,id:22000000,nolog,pass,t:none,setvar:tx.wprs_client_ip=%{REMOTE_ADDR}"
Rule 22000004: Enable / Disable Brute-force mitigation.
When wprs_check_bruteforce
is set to 1
WPRS will try to mitigate brute-force attacks.
By default it will check if a user performs more then 5 login attempts, in a time span of 2 minutes,
and blocks it for 5 minutes.
setvar:tx.wprs_check_bruteforce=1 = brute-force mitigation enabled
setvar:tx.wprs_check_bruteforce=0 = brute-force mitigation disabled
default: 1
SecAction "id:22000004,phase:1,nolog,pass,t:none,setvar:tx.wprs_check_bruteforce=1"
Rule 22000005: Time Span. How many seconds the login counter will be incremented on each login attempt on /wp-login.php. For example, if you want to increment the login attempt counter for a 10 minutes span:
setvar:tx.wprs_bruteforce_timespan=600
default: 120 (2 minutes)
SecAction "id:22000005,phase:1,nolog,pass,t:none,setvar:tx.wprs_bruteforce_timespan=120"
Rule 22000010: Threshold. This rule set how many login attempts (inside the time span period) WPRS will accepts before ban. For example, if you set this to 10, WPRS will ban the user at the 11th attempt.
setvar:tx.wprs_bruteforce_threshold=10
default: 5
SecAction "id:22000010,phase:1,nolog,pass,t:none,setvar:tx.wprs_bruteforce_threshold=5"
Rule 22000015: Ban period. This rule set for how long a user will be banned if a brute-force attempt is detected. For example, if you want to block a user for 5 mins you'll set this to 300:
setvar:tx.wprs_bruteforce_banperiod=300
default: 300
SecAction "id:22000015,phase:1,nolog,pass,t:none,setvar:tx.wprs_bruteforce_banperiod=300"
Rule 22000030: User Enumeration. This rule enable or disable requests like "/?author=1". An attacker could enumerate all active users by incrementing the author parameter.
setvar:tx.wprs_allow_user_enumeration=1 = allows request like /?author=1
setvar:tx.wprs_allow_user_enumeration=0 = blocks request like /?author=1
default: 1
SecAction "id:22000030,phase:1,nolog,pass,t:none,setvar:tx.wprs_allow_user_enumeration=1"
Rule 22000025: XMLRPC. This rule enable or disable access on xmlrpc.php script. Usually many users doesn't use the xmlrpc.php but they leave it active, and this could lead to a brute-force amplification attacks.
setvar:tx.wprs_allow_xmlrpc=1 = allows reuests to xmlrpc.php
setvar:tx.wprs_allow_xmlrpc=0 = blocks reuests to xmlrpc.php
default: 1
SecAction "id:22000025,phase:1,nolog,pass,t:none,setvar:tx.wprs_allow_xmlrpc=1"
Rule 22000020: Log authentication events. This rule enable or disable the logging of authentication events. If you enable this, each time a user login on /wp-login.php a log is produced.
setvar:tx.wprs_log_authentications=1 = enables logging
setvar:tx.wprs_log_authentications=0 = disables logging
default: 1
SecAction "id:22000020,phase:1,nolog,pass,t:none,setvar:tx.wprs_log_authentications=1"
Following a brute-force attack test using wpscan, against the admin user. The WPRS ban the attacker IP and blocks all requests after 5 failed login:
Please, feel free to contribute by a Pull Request
theMiddle twitter account: @AndreaTheMiddle
Rev3rse Security twitter account (ITA): @rev3rsesecurity
Rev3rse Security YouTube (ITA): https://www.youtube.com/rev3rsesecurity