Git Product home page Git Product logo

wordpress-modsecurity-ruleset's Introduction

WordPress ModSecurity Rule Set (WPRS)

This ruleset extends the OWASP CRS (https://github.com/SpiderLabs/owasp-modsecurity-crs) and includes specific rules in order to protect the most critical aspects of the famous WordPress CMS.

Table of contents

Install

just clone this repository with git clone https://github.com/theMiddleBlue/wordpress-modsecurity-ruleset.git

Use with OWASP CRS

This rule set is intended to be used with the OWASP CRS3. You just need to clone this repository and then includes it in your modsecurity.conf:

...

Include wordpress-modsecurity-ruleset/*.conf

Optionally you can change the default behavior as described in the 01_SETUP.conf file:

...

SecAction "phase:1,id:22000000,nolog,pass,t:none,setvar:tx.wprs_client_ip=%{REMOTE_ADDR}"
SecAction "id:22000004,phase:1,nolog,pass,t:none,setvar:tx.wprs_check_bruteforce=1"
SecAction "id:22000005,phase:1,nolog,pass,t:none,setvar:tx.wprs_bruteforce_timespan=120"
SecAction "id:22000010,phase:1,nolog,pass,t:none,setvar:tx.wprs_bruteforce_threshold=5"
SecAction "id:22000015,phase:1,nolog,pass,t:none,setvar:tx.wprs_bruteforce_banperiod=300"
SecAction "id:22000020,phase:1,nolog,pass,t:none,setvar:tx.wprs_log_authentications=1"
SecAction "id:22000025,phase:1,nolog,pass,t:none,setvar:tx.wprs_allow_xmlrpc=0"
SecAction "id:22000030,phase:1,nolog,pass,t:none,setvar:tx.wprs_allow_user_enumeration=0"

Include wordpress-modsecurity-ruleset/*.conf

Configurations

Real Client IP Address

Rule 22000000: Client IP Address. This rule set the "real" client IP Address. This usually is %{REMOTE_ADDR} but when you are behind CloudFlare or a Load Balancer, the user's IP Address is inside a header parameter like X-Forwarded-For, or True-Client-IP, or CF-Connecting-IP for CloudFlare. See the 01-SETUP.conf file for more information:

SecAction "phase:1,id:22000000,nolog,pass,t:none,setvar:tx.wprs_client_ip=%{REMOTE_ADDR}"

Mitigate Brute-Force Attacks

Rule 22000004: Enable / Disable Brute-force mitigation. When wprs_check_bruteforce is set to 1 WPRS will try to mitigate brute-force attacks. By default it will check if a user performs more then 5 login attempts, in a time span of 2 minutes, and blocks it for 5 minutes.

setvar:tx.wprs_check_bruteforce=1  =  brute-force mitigation enabled
setvar:tx.wprs_check_bruteforce=0  =  brute-force mitigation disabled

default: 1

SecAction "id:22000004,phase:1,nolog,pass,t:none,setvar:tx.wprs_check_bruteforce=1"

Time Span

Rule 22000005: Time Span. How many seconds the login counter will be incremented on each login attempt on /wp-login.php. For example, if you want to increment the login attempt counter for a 10 minutes span:

setvar:tx.wprs_bruteforce_timespan=600

default: 120 (2 minutes)

SecAction "id:22000005,phase:1,nolog,pass,t:none,setvar:tx.wprs_bruteforce_timespan=120"

Threshold

Rule 22000010: Threshold. This rule set how many login attempts (inside the time span period) WPRS will accepts before ban. For example, if you set this to 10, WPRS will ban the user at the 11th attempt.

setvar:tx.wprs_bruteforce_threshold=10

default: 5

SecAction "id:22000010,phase:1,nolog,pass,t:none,setvar:tx.wprs_bruteforce_threshold=5"

Ban period

Rule 22000015: Ban period. This rule set for how long a user will be banned if a brute-force attempt is detected. For example, if you want to block a user for 5 mins you'll set this to 300:

setvar:tx.wprs_bruteforce_banperiod=300

default: 300

SecAction "id:22000015,phase:1,nolog,pass,t:none,setvar:tx.wprs_bruteforce_banperiod=300"

User enumeration

Rule 22000030: User Enumeration. This rule enable or disable requests like "/?author=1". An attacker could enumerate all active users by incrementing the author parameter.

setvar:tx.wprs_allow_user_enumeration=1 = allows request like /?author=1
setvar:tx.wprs_allow_user_enumeration=0 = blocks request like /?author=1

default: 1

SecAction "id:22000030,phase:1,nolog,pass,t:none,setvar:tx.wprs_allow_user_enumeration=1"

Block access to xmlrpc.php

Rule 22000025: XMLRPC. This rule enable or disable access on xmlrpc.php script. Usually many users doesn't use the xmlrpc.php but they leave it active, and this could lead to a brute-force amplification attacks.

setvar:tx.wprs_allow_xmlrpc=1 = allows reuests to xmlrpc.php
setvar:tx.wprs_allow_xmlrpc=0 = blocks reuests to xmlrpc.php

default: 1

SecAction "id:22000025,phase:1,nolog,pass,t:none,setvar:tx.wprs_allow_xmlrpc=1"

Log login and logout events

Rule 22000020: Log authentication events. This rule enable or disable the logging of authentication events. If you enable this, each time a user login on /wp-login.php a log is produced.

setvar:tx.wprs_log_authentications=1 = enables logging
setvar:tx.wprs_log_authentications=0 = disables logging

default: 1

SecAction "id:22000020,phase:1,nolog,pass,t:none,setvar:tx.wprs_log_authentications=1"

Test Brute-Force Attack

Following a brute-force attack test using wpscan, against the admin user. The WPRS ban the attacker IP and blocks all requests after 5 failed login:

asciicast

Contribute!

Please, feel free to contribute by a Pull Request

Contacts

theMiddle twitter account: @AndreaTheMiddle
Rev3rse Security twitter account (ITA): @rev3rsesecurity
Rev3rse Security YouTube (ITA): https://www.youtube.com/rev3rsesecurity

wordpress-modsecurity-ruleset's People

Contributors

rev3rsesecurity avatar themiddleblue avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

wordpress-modsecurity-ruleset's Issues

04-EVENTS.conf fails on ModSecurity version 2.9

Reloading The Apache HTTP Server.
apachectl[15596]: AH00526: Syntax error on line 9 of /etc/modsecurity/wp-rules-enabled/04-EVENTS.conf:
apachectl[15596]: ModSecurity: Metadata actions (id, rev, msg, tag, severity, ver, accuracy, maturity, logdata) can only be specified by chain starter rules.

How may I modify this rule to work with ModSecurity 2.9?

Invalid transformation function: uppercase

Hi, I'm getting this error when I try to start apache2 with the rulesets defined in this repo:

Aug 02 15:12:09 ip-172-31-9-63 apachectl[4820]: AH00526: Syntax error on line 16 of /home/ubuntu/wordpress-modsecurity-ruleset/03-BRUTEFORCE.conf:
Aug 02 15:12:09 ip-172-31-9-63 apachectl[4820]: Error parsing actions: Invalid transformation function: uppercase
Aug 02 15:12:10 ip-172-31-9-63 apachectl[4820]: Action 'start' failed.
Aug 02 15:12:10 ip-172-31-9-63 apachectl[4820]: The Apache error log may have more information.

Any thoughts?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.