Home › Forums › BulletProof Security Pro › POST Request Protection|POST Attack Protection|POST Request Blocker
- This topic has 33 replies, 11 voices, and was last updated 6 years, 5 months ago by
AITpro Admin.
-
AuthorPosts
-
AITpro Admin
KeymasterPOST Request Protection|POST Attack Protection|POST Request Blocker General Info:
Short|Simplified Help Info:
The BPS POST Request Attack Protection code below filters all POST Requests made to your website. Each RewriteCond line of code is a whitelist rule that says to allow all POST Requests to that file or URL|URI that contains a POST Form. Any/all POST Requests made to your website that are NOT whitelisted by Request URI or Query String conditions in the POST Attack Protection htaccess code will be blocked. To whitelist additional files, URL’s, POST Forms on your website you would add a line of code that has the name of the file or the URL|URI to allow/whitelist all POST Requests to that file, URL, POST Form. After adding this Bonus Custom Code to BPS Custom Code, check your BPS Security Log for a few days for any 403 POST Request Log entries to make sure that you have whitelisted/allowed all POST Forms on your website that need to be whitelisted/allowed.Long|Extensive Help Info: (This is a very basic/simplified non-technical explanation to make it very easy for everyone to understand the basics)
Any/all POST Requests made to your website that are NOT whitelisted by Request URI or Query String conditions in the POST Attack Protection htaccess code will be blocked. The two most common types of Request Methods are POST and GET. The naming convention of these Request Methods are self-explanatory. A GET Request “gets” data and a POST Request “posts” data. The Primary difference between a GET Request and a POST Request is that a POST Request sends data enclosed in the body of the Request, whereas a GET Request can send data in a URL Query String, but does not send data enclosed in the body of the Request. POST attacks target POST Forms by directly or remotely auto-posting data to POST Forms. The attack is done by either pre-populating POST Form fields or getting POST Form fields and then auto-populating all Form fields that are detected and auto-submitting a Form. This POST Request Attack Protection Bonus Custom Code can completely block all POST Forms from being allowed to be submitted on your site, which means no one including yourself can POST/submit any Forms on your website. Obviously you do not want to do that. So how is this code useful and what can it protect against? See the IMPORTANT NOTES help section below for the different levels of POST attack blocking protection that you can use depending on what you do and do not want to allow on your website and what the POST Attack Blocker code will protect against.IMPORTANT NOTES: READ ME before using this POST Request Protection|POST Attack Protection|POST Request Blocker Bonus Custom Code
Scroll down to the Example Blocked POST Attacks Logged in the BPS Security Log help section below and take a quick look at Example #3 of a Blocked POST Attack Security Log entry and then return to this IMPORTANT NOTES help section and continue reading these notes. Example #3 shows probably the most important reason to add this POST Attack Blocker Bonus Custom Code. There are many other types of POST attacks that I have not added to these examples below. So what is important is to ONLY block “bad/malicious” POST Request attacks and not block/break any “good” POST Requests. This POST Request Attack Protection Bonus Custom Code does not add security protection to existing POST Forms. Your “good” POST Forms (wp-login.php, wp-comments.php, etc) already have their own security protection built into those POST Forms. What this Bonus Custom Code is intended for is to block all the other “bad/malicous” POST Request attacks that are occuring against your website. You can also choose the level of what POST Forms you do and do not want to allow any posting to. Or in other words, you are disabling/disallowing/blocking any POST Requests to those individual Forms. See BPS POST Request Attack Protection Code Explained below.BPS POST Request Attack Protection Code Explained:
The code below is checking all POST Requests made on your website and allowing/whitelisting all POST Requests made to all of these files/POST Forms in the code below and will NOT block any of them. By default all of the standard WordPress POST Request Forms are NOT blocked/are whitelisted in the code below and in the special case of the wp-cron.php file used for WordPress Crons, all POST Request functions like the wp_remote_post() function or any other WordPress functions that perform POST Requests in a WordPress Cron are NOT blocked/are whitelisted in the code below. So basically using the code below as is, allows/whitelists all WordPress files/POST Forms and blocks any other POST Requests made to your website. By commenting out lines of code with # signs you can block POST Requests to any of these files/POST Forms individually. See Example Blocking POST Request Attacks for Individual files/POST Forms below.
IMPORTANT: For any/all other POST Forms on your website, such as a Contact Form or any other Forms on the frontend (not the wp-admin Dashboard backend) of your website where you are allowing people to submit data/content in a Form, you will need to add/whitelist either the file name of that Form or the URL|URI of that Page or Post. If you are using PayPal IPN or PDT or another payment Gateway and are getting POST transaction data sent back to your website then you need to add/whitelist your IPN script filename. See the IMPORTANT Whitelisting steps for additional POST Forms on your website help information below.
Example Blocking POST Request Attacks for Individual files/POST Forms:
If you do not want to allow any XML-RPC Pingbacks and Remote Posting POST Requests on your website then you would comment out this line of code with a # sign:
#RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
. IMPORTANT: Do NOT comment out this code with a # sign if you are using JetPack or XML-RPC remote posting. If you are using JetPack or using XML-RPC for remote posting to your website, JetPack and remote posting will be blocked.If you do not want to allow any Trackback POST Requests on your website then you would comment out this line of code with a # sign:
#RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
IMPORTANT: wp-login.php and wp-cron.php should NEVER be commented out with a # sign/blocked. You will not be able to login to your site if you block wp-login.php POST Requests. You will break any/all plugins on your website that use POST Requests in WordPress Crons including BPS Pro, which uses POST Requests in WordPress Crons.
IMPORTANT Whitelisting steps for additional POST Forms on your website:
The code below shows 3 additional added/whitelisting examples for whitelisting a custom/additional POST Form, a Contact Form URL and a PayPal IPN script filename. You can allow/whitelist by filename or URL|URI, whichever is easier/simpler for you. Example 1: Star Rating Calculator POST Form Requests. This is an example whitelist rule to allow POST Requests to this file: star-rating-calculator.php, which contains a POST Form where people can submit data to that Form. By adding/whitelisting the star-rating-calculator.php file I am allowing/whitelisting all POST Requests to that file/Form. Example 2: Contact Form POST Requests. This is an example whitelist rule to all POST Requests to the Contact page URL|URI. By adding/whitelisting the /contact/ URL|URI I am allowing/whitelisting all POST Requests to that file/Form. Example 3: PayPal IPN API Script POST Requests. This is an example whitelist rule to allow POST Requests to this file: ipn_handler.php, which contains the code to receive PayPal IPN transaction POST data from PayPal back to your website’s IPN script. By adding/whitelisting the ipn_handler.php file I am allowing/whitelisting all POST Requests to that file/Form.
# BPS POST Request Attack Protection RewriteCond %{REQUEST_METHOD} POST [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC] # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC] # Whitelist WP JSON POST Requests by Query String RewriteCond %{QUERY_STRING} !^_locale=(.*) [NC] # Whitelist the WordPress Theme Customizer RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC] # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC] # Whitelist JSON POST Requests - Jetpack|Contact Form 7|etc. RewriteCond %{REQUEST_URI} !^.*/wp-json/(.*) [NC] # Whitelist Network|Multisite Signup POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC] # Whitelist Network|Multisite Activate POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC] # Whitelist Trackback POST Requests RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC] # Whitelist Comments POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC] # Example 1: Whitelist Star Rating Calculator POST Form Requests RewriteCond %{REQUEST_URI} !^.*/star-rating-calculator.php [NC] # Example 2: Whitelist Contact Form POST Requests RewriteCond %{REQUEST_URI} !^.*/contact/ [NC] # Example 3: Whitelist PayPal IPN API Script POST Requests RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC] RewriteRule ^(.*)$ - [F]
How to add the BPS POST Request Attack Protection code to BPS Root Custom Code:
IMPORTANT: Check your BPS Security Log for a few days after adding this BPS POST Request Attack Protection code to make sure you did not forget to whitelist any of your additional custom Forms on your website. If you see any Security Log entries for Forms being blocked that you want to allow/whitelist then see this help section above: IMPORTANT Whitelisting steps for additional POST Forms on your website
1. Copy the BPS POST Request Attack Protection Bonus Code below to this BPS Root Custom Code text box: 14. CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
2. Add any additional lines of code to allow/whitelist files/POST Forms that you want to allow/whitelist on your website. See the IMPORTANT Whitelisting steps for additional POST Forms on your website help section above for how to add additional code/whitelist rules.
3. Click the Save Root Custom Code button.
4. BPS Pro 11.9+ & BPS .53.8+: Go to the Security Modes page and click the Root folder BulletProof Mode Activate button.
4. Older BPS versions: Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode.Example Blocked POST Attacks Logged in the BPS Security Log:
NOTE: The REQUEST BODY logging field is added in BPS Pro 11.2+ and BPS .52.7+. If you have an older version of BPS Pro or BPS installed you will not see the REQUEST BODY logging field in your Security Log entries.
#1: This hackerbot or spambot is auto-posting POST Request Body data to the Login page to attempt to auto-signup, auto-activate, auto-register and auto-login to this BuddyPress/bbPress site. In simple terms, create spam user accounts automatically using a POST attack.
[403 POST Request: October 7, 2015 - 5:36 pm] Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 46.39.53.103 Host Name: 46.39.53.103 SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: POST HTTP_REFERER: http://forum.ait-pro.com/wp-login.php REQUEST_URI: /wp-login.php QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36 REQUEST BODY: --c5d15cd8b1573 Content-Disposition: form-data; name="signup_username" Dckuykdrk --c5d15cd8b1573 Content-Disposition: form-data; name="signup_email" bipoloceru@notowany.pl --c5d15cd8b1573 Content-Disposition: form-data; name="signup_password" ne797lXkeB --c5d15cd8b1573 Content-Disposition: form-data; name="signup_password_confirm" ne797lXkeB --c5d15cd8b1573 Content-Disposition: form-data; name="field_1" Hhdutuqjlmo --c5d15cd8b1573 Content-Disposition: form-data; name="signup_profile_field_ids" 1 --c5d15cd8b1573 Content-Disposition: form-data; name="reference" google --c5d15cd8b1573 Content-Disposition: form-data; name="captcha" --c5d15cd8b1573 Content-Disposition: form-data; name="signup_submit" Complete Sign Up --c5d15cd8b1573 Content-Disposition: form-data; name="_wpnonce" 4fa74be489 --c5d15cd8b1573 Content-Disposition: form-data; name="_wp_http_referer" /register/ --c5d15cd8b1573--
#2: This hackerbot or spambot is auto-posting POST Request Body data to the Login page to attempt to auto-login to the AIT-pro.com site using Username: admin and Password: Admin. In simple terms, this is a POST Brute Force Login attack.
[403 POST Request: October 5, 2015 - 9:40 am] Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 66.135.41.72 Host Name: fqdn.profitics.com SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: POST HTTP_REFERER: http://www.ait-pro.com/wp-login.php REQUEST_URI: /wp-login.php QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 REQUEST BODY: log=admin&pwd=Admin%211&wp-submit=Log%2BIn&testcookie=1
#3: This hackerbot is auto-posting POST Request Body data to the Root of the AIT-pro.com hosting account/site in an attempt to force upload a hacker Shell script to the AIT-pro.com hosting account/site. Only a small portion of the Security Log entry (hacker file/code) is shown below. The entire Security Log entry has captured/logged the entire hacker’s script/file contents and is 86KB in size. By default the BPS Security Log Limit POST Request Body Data option is set to checked and will not capture/log entire hacker scripts/files/code. You can capture/log entire hacking scripts if you uncheck the Limit POST Request Body Data checkbox, but that means your log file size could increase dramatically and you could receive more automated Security Log zip file emails. If you are using email security protection on your computer then your zipped Security Log files may be seen as containing a virus (hacker script/code) and they could be automatically deleted by your email protection application on your computer. Your computer security protection software may also see the Security Log file as malicious and block it. CAUTION: It is possible that your web host may have security protection that sees captured/logged hacker code in your Security Log as a hacker file. If you do not want to risk your host server taking preventative or restrictive actions on your website/server then be sure to leave the Security Log Limit POST Request Body Data option checkbox checked (default setting: checked) on the BPS Security Log page. If you are capturing/logging hacker scripts and one of the issues described above occurs you can copy your Security Log file, click the Delete Log button and check the Security Log Limit POST Request Body Data option checkbox to prevent future issues.
[403 POST Request: October 8, 2015 - 6:15 am] Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 59.60.113.248 Host Name: 248.113.60.59.broad.pt.fj.dynamic.163data.com.cn SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: POST HTTP_REFERER: http://www.ait-pro.com REQUEST_URI: / QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0 REQUEST BODY: --(UploadBoundary) Content-Disposition: form-data; name="yiw_contact[]"; filename="web.php" Content-Type: text/php <?php /** * Be sure to include no trailing slash on the path. * See http://www.php.net/support.php for more information * about PHP manuals and their types. */ /* 32bit MD5 */ $password = "663b489cc6590c7bed9c8bb05e188e16"; define('VERSION','kaylin'); /*Starting*/ $register_key = array /*Registration code*/ ( array ( 'CQ9jnUNtDTIlpz9lK3WypT9lqTyhMluSK0IFHx9FXGgNnJ5cK3AyqPtaMTympTkurI9ypaWipaZaYPqCMzLaXGgN' , ... ... ...
Jose
ParticipantHi;
Does this code replace XML-RPC DDoS PROTECTION and XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION bonus code or supplement them?
Thanks in advance.
AITpro Admin
KeymasterExcellent question and thanks for the reminder to add that information, which was supposed to be added to the main forum topic above. 😉 If someone has JetPack installed or they are using XML-RPC to create remote POSTs then they should leave the whitelist rule for:
RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
and use the XML-RPC Protection code to protect the xmlrpc.php file. In general, if someone wants to completely block and capture/log all POST Request Attacks made to XML-RPC then they would only need to use/add the POST Request Attack Protection code above and comment out the xmlrpc.php whitelist rule with a # sign and not add/use the additional XML-RPC Protection code.AITpro Admin
KeymasterSee my additional information added in my reply above.
Jose
ParticipantAnd the Hotlink Protection Code should be included before or after this POST Request Attack Protection code above?
AITpro Admin
KeymasterThe order of htaccess code in this BPS Root Custom Code text box: CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE does not matter. There is only 1 Root Custom Code text box where the order of htaccess code is important: CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE.
Technically there is 1 other Root Custom Code text box where the order of Plugin/Theme skip/bypass rules/code is important: CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES. Plugin/Theme Skip rules need to be in descending order: S=15, S=14, S-13, etc.
Jose
ParticipantOk. Thanks again.
popljubo
ParticipantHi,
I don’t have a Network|Multisite, so could I comment out this lines of code with a # sign:
I’m not a programmer and this is a little bit confusing to me, cause that files exist in my WP installation which is not a multisite, etc. and even is not a multi-user site – so i’m asking what will happen if i comment out those lines of code.RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC] RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
AITpro Admin
KeymasterYes. You can safely comment out/block the wp-signup.php and wp-activate.php files/lines of code/whitelist rules since these files are only used on Network/Multisite sites.
Deb
ParticipantAnother scenario: All worked perfectly for completely locking out everything but me using BPSP login protection and the above for post data attack, leaving only the # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON lines open.
I use the Opera browser to test a not-me IP as it comes in from its own separate ip (in the Security log file it noted the ip was “HTTP_X_FORWARDED_FOR: 50.zz.y.xx” – my real ip address).
Using Opera http:// all was fine with all domains (got correct 403 errors). BUT when I tried a domain that I only allow https:// secure ssl, Opera put through the wp-login page as normal – no 403. ? When I resubmitted without the “s” – it immediately 403’d. All the custom code is identical between sites (except for Allow from domain/server differences).
When I acid tested w/a Tor browser entry on the https:// it did go to a 403 immediately.
A fluke? Leave all as is? (real bad guys won’t be using my ip ever.)
AITpro Admin
KeymasterI guess a fluke or some other factor that is not obvious. The POST Request Attack protection code works the same for http or https POST Requests since the conditional check is for any/all POST Requests made.
Dean A. Batha
ParticipantIf I or another user on my site is using a password service such as Last Pass or Dash Lane, and has it set to “auto login,” to the wp-login.php form, will this code see it as a bot attempting to post login information to the form? If so, then what is the recommended way to allow these services to function for users that employ them?
AITpro Admin
KeymasterLast Pass is known to cause problems. there are workarounds if you do seaches for last pass in the forum.
John
ParticipantI have 2 questions:
1) Do I still need this code
RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
and this code
RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
if I’ve already added the code below?
# XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION # Using this code blocks Pingbacks and Trackbacks on your website. # You can whitelist your IP address if you use A Weblog Client # or want to whitelist an IP address for any other reasons. # Example: uncomment #Allow from x.x.x. by deleting the # sign and # replace the x's with your actual IP address. Allow from 99.88.77. # Note: It is recommended that you use 3 octets x.x.x. of your IP address # instead of 4 octets x.x.x.x of your IP address. <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)"> Order Deny,Allow #Allow from x.x.x. Deny from all </FilesMatch>
2) Aside from Contact Form 7, I’m running Woocommerce on my site and I’m allowing comments on each single product page, providing that “users must be registered and logged in to comment” (i.e. Settings > Discussion > Other comment settings). Could you please confirm if the whitelisting codes provided above would cover POST Requests to my site (with relevance to Contact Form 7 and Woocommerce comments)?
Please excuse me for not being a very technical person, hence I need your confirmation.
Thank you in advance for your reply.
Best regards,
AITpro Admin
KeymasterThat choice is entirely up to you. You can use both or one or the other. You would need to check if comments are working or if you are seeing 403 errors logged in your BPS Security Log to determine if comments are being blocked. I am pretty sure that leaving this line of code below uncommented out without a # sign would allow/not block any commenting functionality in any other plugins.
# Whitelist Comments POST Form Requests RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
-
AuthorPosts
- You must be logged in to reply to this topic.