POST Request Protection|POST Attack Protection|POST Request Blocker

Home Forums BulletProof Security Pro POST Request Protection|POST Attack Protection|POST Request Blocker

This topic contains 31 replies, has 10 voices, and was last updated by  AITpro Admin 1 year, 1 month ago.

Viewing 15 posts - 1 through 15 (of 32 total)
  • Author
    Posts
  • #25635

    AITpro Admin
    Keymaster

    POST Request Protection|POST Attack Protection|POST Request Blocker General Info:

    Short|Simplified Help Info:
    The BPS POST Request Attack Protection code below filters all POST Requests made to your website. Each RewriteCond line of code is a whitelist rule that says to allow all POST Requests to that file or URL|URI that contains a POST Form. Any/all POST Requests made to your website that are NOT whitelisted by Request URI or Query String conditions in the POST Attack Protection htaccess code will be blocked.  To whitelist additional files, URL’s, POST Forms on your website you would add a line of code that has the name of the file or the URL|URI to allow/whitelist all POST Requests to that file, URL, POST Form.  After adding this Bonus Custom Code to BPS Custom Code, check your BPS Security Log for a few days for any 403 POST Request Log entries to make sure that you have whitelisted/allowed all POST Forms on your website that need to be whitelisted/allowed.

    Long|Extensive Help Info: (This is a very basic/simplified non-technical explanation to make it very easy for everyone to understand the basics)
    Any/all POST Requests made to your website that are NOT whitelisted by Request URI or Query String conditions in the POST Attack Protection htaccess code will be blocked.  The two most common types of Request Methods are POST and GET.  The naming convention of these Request Methods are self-explanatory.  A GET Request “gets” data and a POST Request “posts” data.  The Primary difference between a GET Request and a POST Request is that a POST Request sends data enclosed in the body of the Request, whereas a GET Request can send data in a URL Query String, but does not send data enclosed in the body of the Request.  POST attacks target POST Forms by directly or remotely auto-posting data to POST Forms.  The attack is done by either pre-populating POST Form fields or getting POST Form fields and then auto-populating all Form fields that are detected and auto-submitting a Form.  This POST Request Attack Protection Bonus Custom Code can completely block all POST Forms from being allowed to be submitted on your site, which means no one including yourself can POST/submit any Forms on your website.  Obviously you do not want to do that.  So how is this code useful and what can it protect against?  See the IMPORTANT NOTES help section below for the different levels of POST attack blocking protection that you can use depending on what you do and do not want to allow on your website and what the POST Attack Blocker code will protect against.

    IMPORTANT NOTES:  READ ME before using this POST Request Protection|POST Attack Protection|POST Request Blocker Bonus Custom Code
    Scroll down to the Example Blocked POST Attacks Logged in the BPS Security Log help section below and take a quick look at Example #3 of a Blocked POST Attack Security Log entry and then return to this IMPORTANT NOTES help section and continue reading these notes. Example #3 shows probably the most important reason to add this POST Attack Blocker Bonus Custom Code.  There are many other types of POST attacks that I have not added to these examples below.  So what is important is to ONLY block “bad/malicious” POST Request attacks and not block/break any “good” POST Requests.  This POST Request Attack Protection Bonus Custom Code does not add security protection to existing POST Forms.  Your “good”  POST Forms (wp-login.php, wp-comments.php, etc) already have their own security protection built into those POST Forms.  What this Bonus Custom Code is intended for is to block all the other “bad/malicous” POST Request attacks that are occuring against your website.  You can also choose the level of what POST Forms you do and do not want to allow any posting to.  Or in other words, you are disabling/disallowing/blocking any POST Requests to those individual Forms.  See BPS POST Request Attack Protection Code Explained below.

    BPS POST Request Attack Protection Code Explained:

    The code below is checking all POST Requests made on your website and allowing/whitelisting all POST Requests made to all of these files/POST Forms in the code below and will NOT block any of them.  By default all of the standard WordPress POST Request Forms are NOT blocked/are whitelisted in the code below and in the special case of the wp-cron.php file used for WordPress Crons, all POST Request functions like the wp_remote_post() function or any other WordPress functions that perform POST Requests in a WordPress Cron are NOT blocked/are whitelisted in the code below.  So basically using the code below as is, allows/whitelists all WordPress files/POST Forms and blocks any other POST Requests made to your website.  By commenting out lines of code with # signs you can block POST Requests to any of these files/POST Forms individually.  See Example Blocking POST Request Attacks for Individual files/POST Forms below.

    IMPORTANT:  For any/all other POST Forms on your website, such as a Contact Form or any other Forms on the frontend (not the wp-admin Dashboard backend) of your website where you are allowing people to submit data/content in a Form, you will need to add/whitelist either the file name of that Form or the URL|URI of that Page or Post.  If you are using PayPal IPN or PDT or another payment Gateway and are getting POST transaction data sent back to your website then you need to add/whitelist your IPN script filename.  See the IMPORTANT Whitelisting steps for additional POST Forms on your website help information below.

    Example Blocking POST Request Attacks for Individual files/POST Forms:

    If you do not want to allow any XML-RPC Pingbacks and Remote Posting POST Requests on your website then you would comment out this line of code with a # sign:  #RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]. IMPORTANT: Do NOT comment out this code with a # sign if you are using JetPack or XML-RPC remote posting.  If you are using JetPack or using XML-RPC for remote posting to your website, JetPack and remote posting will be blocked.

    If you do not want to allow any Trackback POST Requests on your website then you would comment out this line of code with a # sign:  #RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]

    IMPORTANT: wp-login.php and wp-cron.php should NEVER be commented out with a # sign/blocked. You will not be able to login to your site if you block wp-login.php POST Requests. You will break any/all plugins on your website that use POST Requests in WordPress Crons including BPS Pro, which uses POST Requests in WordPress Crons.

    IMPORTANT Whitelisting steps for additional POST Forms on your website:

    The code below shows 3 additional added/whitelisting examples for whitelisting a custom/additional POST Form, a Contact Form URL and a PayPal IPN script filename.  You can allow/whitelist by filename or URL|URI, whichever is easier/simpler for you.  Example 1:  Star Rating Calculator POST Form Requests.  This is an example whitelist rule to allow POST Requests to this file: star-rating-calculator.php, which contains a POST Form where people can submit data to that Form. By adding/whitelisting the star-rating-calculator.php file I am allowing/whitelisting all POST Requests to that file/Form. Example 2: Contact Form POST Requests.  This is an example whitelist rule to all POST Requests to the Contact page URL|URI.  By adding/whitelisting the /contact/ URL|URI I am allowing/whitelisting all POST Requests to that file/Form.  Example 3: PayPal IPN API Script POST Requests.  This is an example whitelist rule to allow POST Requests to this file: ipn_handler.php, which contains the code to receive PayPal IPN transaction POST data from PayPal back to your website’s IPN script. By adding/whitelisting the ipn_handler.php file I am allowing/whitelisting all POST Requests to that file/Form.

    # BPS POST Request Attack Protection
    RewriteCond %{REQUEST_METHOD} POST [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
    # Whitelist the WordPress Theme Customizer
    RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
    # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
    RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
    # Whitelist Jetpack JSON POST Request
    RewriteCond %{REQUEST_URI} !^.*/wp-json/jetpack/(.*) [NC]
    # Whitelist Network|Multisite Signup POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
    # Whitelist Network|Multisite Activate POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
    # Whitelist Trackback POST Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
    # Whitelist Comments POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
    # Example 1: Whitelist Star Rating Calculator POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/star-rating-calculator.php [NC]
    # Example 2: Whitelist Contact Form POST Requests
    RewriteCond %{REQUEST_URI} !^.*/contact/ [NC]
    # Example 3: Whitelist PayPal IPN API Script POST Requests
    RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
    RewriteRule ^(.*)$ - [F]

    How to add the BPS POST Request Attack Protection code to BPS Root Custom Code:

    IMPORTANT:  Check your BPS Security Log for a few days after adding this BPS POST Request Attack Protection code to make sure you did not forget to whitelist any of your additional custom Forms on your website.  If you see any Security Log entries for Forms being blocked that you want to allow/whitelist then see this help section above:  IMPORTANT Whitelisting steps for additional POST Forms on your website

    1. Copy the BPS POST Request Attack Protection Bonus Code below to this BPS Root Custom Code text box:  14. CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
    2. Add any additional lines of code to allow/whitelist files/POST Forms that you want to allow/whitelist on your website. See the IMPORTANT Whitelisting steps for additional POST Forms on your website help section above for how to add additional code/whitelist rules.
    3. Click the Save Root Custom Code button.
    4. BPS Pro 11.9+ & BPS .53.8+: Go to the Security Modes page and click the Root folder BulletProof Mode Activate button.
    4. Older BPS versions: Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode.

    Example Blocked POST Attacks Logged in the BPS Security Log:

    NOTE: The REQUEST BODY logging field is added in BPS Pro 11.2+ and BPS .52.7+. If you have an older version of BPS Pro or BPS installed you will not see the REQUEST BODY logging field in your Security Log entries.

    #1:  This hackerbot or spambot is auto-posting POST Request Body data to the Login page to attempt to auto-signup, auto-activate, auto-register and auto-login to this BuddyPress/bbPress site.  In simple terms, create spam user accounts automatically using a POST attack.

    [403 POST Request: October 7, 2015 - 5:36 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 46.39.53.103
    Host Name: 46.39.53.103
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: POST
    HTTP_REFERER: http://forum.ait-pro.com/wp-login.php
    REQUEST_URI: /wp-login.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36
    REQUEST BODY: --c5d15cd8b1573
    Content-Disposition: form-data; name="signup_username"
    
    Dckuykdrk
    --c5d15cd8b1573
    Content-Disposition: form-data; name="signup_email"
    
    bipoloceru@notowany.pl
    --c5d15cd8b1573
    Content-Disposition: form-data; name="signup_password"
    
    ne797lXkeB
    --c5d15cd8b1573
    Content-Disposition: form-data; name="signup_password_confirm"
    
    ne797lXkeB
    --c5d15cd8b1573
    Content-Disposition: form-data; name="field_1"
    
    Hhdutuqjlmo
    --c5d15cd8b1573
    Content-Disposition: form-data; name="signup_profile_field_ids"
    
    1
    --c5d15cd8b1573
    Content-Disposition: form-data; name="reference"
    
    google
    --c5d15cd8b1573
    Content-Disposition: form-data; name="captcha"
    --c5d15cd8b1573
    Content-Disposition: form-data; name="signup_submit"
    
    Complete Sign Up
    --c5d15cd8b1573
    Content-Disposition: form-data; name="_wpnonce"
    
    4fa74be489
    --c5d15cd8b1573
    Content-Disposition: form-data; name="_wp_http_referer"
    
    /register/
    --c5d15cd8b1573--

    #2:  This hackerbot or spambot is auto-posting POST Request Body data to the Login page to attempt to auto-login to the AIT-pro.com site using Username: admin and Password: Admin.  In simple terms, this is a POST Brute Force Login attack.

    [403 POST Request: October 5, 2015 - 9:40 am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 66.135.41.72
    Host Name: fqdn.profitics.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: POST
    HTTP_REFERER: http://www.ait-pro.com/wp-login.php
    REQUEST_URI: /wp-login.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
    REQUEST BODY: log=admin&pwd=Admin%211&wp-submit=Log%2BIn&testcookie=1

    #3:  This hackerbot is auto-posting POST Request Body data to the Root of the AIT-pro.com hosting account/site in an attempt to force upload a hacker Shell script to the AIT-pro.com hosting account/site. Only a small portion of the Security Log entry (hacker file/code) is shown below.  The entire Security Log entry has captured/logged the entire hacker’s script/file contents and is 86KB in size.  By default the BPS Security Log Limit POST Request Body Data option is set to checked and will not capture/log entire hacker scripts/files/code.  You can capture/log entire hacking scripts if you uncheck the Limit POST Request Body Data checkbox, but that means your log file size could increase dramatically and you could receive more automated Security Log zip file emails. If you are using email security protection on your computer then your zipped Security Log files may be seen as containing a virus (hacker script/code) and they could be automatically deleted by your email protection application on your computer. Your computer security protection software may also see the Security Log file as malicious and block it.  CAUTION: It is possible that your web host may have security protection that sees captured/logged hacker code in your Security Log as a hacker file.  If you do not want to risk your host server taking preventative or restrictive actions on your website/server then be sure to leave the Security Log Limit POST Request Body Data option checkbox checked (default setting: checked) on the BPS Security Log page.  If you are capturing/logging hacker scripts and one of the issues described above occurs you can copy your Security Log file, click the Delete Log button and check the Security Log Limit POST Request Body Data option checkbox to prevent future issues.

    [403 POST Request: October 8, 2015 - 6:15 am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 59.60.113.248
    Host Name: 248.113.60.59.broad.pt.fj.dynamic.163data.com.cn
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: POST
    HTTP_REFERER: http://www.ait-pro.com
    REQUEST_URI: /
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0
    REQUEST BODY: --(UploadBoundary)
    Content-Disposition: form-data; name="yiw_contact[]"; filename="web.php"
    Content-Type: text/php
    
    <?php
    
    /**
    * Be sure to include no trailing slash on the path.
    * See http://www.php.net/support.php for more information
    * about PHP manuals and their types.
    */
    
    /* 32bit MD5 */
    $password = "663b489cc6590c7bed9c8bb05e188e16";
    
    define('VERSION','kaylin');
    
    /*Starting*/ $register_key = array /*Registration code*/
    (
    array
    (
    'CQ9jnUNtDTIlpz9lK3WypT9lqTyhMluSK0IFHx9FXGgNnJ5cK3AyqPtaMTympTkurI9ypaWipaZaYPqCMzLaXGgN' ,
    ...
    ...
    ...
    #25672

    Jose
    Participant

    Hi;

    Does this code replace XML-RPC DDoS PROTECTION and XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION bonus code or supplement them?

    Thanks in advance.

    #25673

    AITpro Admin
    Keymaster

    Excellent question and thanks for the reminder to add that information, which was supposed to be added to the main forum topic above.  😉  If someone has JetPack installed or they are using XML-RPC to create remote POSTs then they should leave the whitelist rule for:  RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC] and use the XML-RPC Protection code to protect the xmlrpc.php file.  In general, if someone wants to completely block and capture/log all POST Request Attacks made to XML-RPC then they would only need to use/add the POST Request Attack Protection code above and comment out the xmlrpc.php whitelist rule with a # sign and not add/use the additional XML-RPC Protection code.

    #25675

    AITpro Admin
    Keymaster

    See my additional information added in my reply above.

    #25679

    Jose
    Participant

    And the Hotlink Protection Code should be included before or after this POST Request Attack Protection code above?

    #25680

    AITpro Admin
    Keymaster

    The order of htaccess code in this BPS Root Custom Code text box:  CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE does not matter. There is only 1 Root Custom Code text box where the order of htaccess code is important: CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE.

    Technically there is 1 other Root Custom Code text box where the order of Plugin/Theme skip/bypass rules/code is important:  CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES. Plugin/Theme Skip rules need to be in descending order: S=15, S=14, S-13, etc.

    #25681

    Jose
    Participant

    Ok. Thanks again.

    #25771

    popljubo
    Participant

    Hi,

    I don’t have a Network|Multisite, so could I comment out this lines of code with a # sign:
    I’m not a programmer and this is a little bit confusing to me, cause that files exist in my WP installation which is not a multisite, etc. and even is not a multi-user site – so i’m asking what will happen if i comment out those lines of code.

    RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
    RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
    #25777

    AITpro Admin
    Keymaster

    Yes.  You can safely comment out/block the wp-signup.php and wp-activate.php files/lines of code/whitelist rules since these files are only used on Network/Multisite sites.

    #26039

    Deb
    Participant

    Another scenario: All worked perfectly for completely locking out everything but me using BPSP login protection and the above for post data attack, leaving only the # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON lines open.

    I use the Opera browser to test a not-me IP as it comes in from its own separate ip (in the Security log file it noted the ip was “HTTP_X_FORWARDED_FOR: 50.zz.y.xx” – my real ip address).

    Using Opera http:// all was fine with all domains (got correct 403 errors). BUT when I tried a domain that I only allow https://  secure ssl, Opera put through the wp-login page as normal – no 403. ?  When I resubmitted without the “s” – it immediately 403’d. All the custom code is identical between sites (except for Allow from domain/server differences).

    When I acid tested w/a Tor browser entry on the https:// it did go to a 403 immediately.

    A fluke?  Leave all as is? (real bad guys won’t be using my ip ever.)

    #26040

    AITpro Admin
    Keymaster

    I guess a fluke or some other factor that is not obvious.  The POST Request Attack protection code works the same for http or https POST Requests since the conditional check is for any/all POST Requests made.

    #28192

    Dean A. Batha
    Participant

    If I or another user on my site is using a password service such as Last Pass or Dash Lane, and has it set to “auto login,” to the wp-login.php form, will this code see it as a bot attempting to post login information to the form? If so, then what is the recommended way to allow these services to function for users that employ them?

    #28194

    AITpro Admin
    Keymaster

    Last Pass is known to cause problems.  there are workarounds if you do seaches for last pass in the forum.

    #28683

    John
    Participant

    I have 2 questions:

    1) Do I still need this code

     RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC] 

    and this code

     RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC] 

    if I’ve already added the code below?

     # XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
    # Using this code blocks Pingbacks and Trackbacks on your website.
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist an IP address for any other reasons.
    # Example: uncomment #Allow from x.x.x. by deleting the # sign and
    # replace the x's with your actual IP address. Allow from 99.88.77.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    
    <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
    Order Deny,Allow
    #Allow from x.x.x.
    Deny from all
    </FilesMatch>
    
    

    2) Aside from Contact Form 7, I’m running Woocommerce on my site and I’m allowing comments on each single product page, providing that “users must be registered and logged in to comment” (i.e. Settings > Discussion > Other comment settings). Could you please confirm if the whitelisting codes provided above would cover POST Requests to my site (with relevance to Contact Form 7 and Woocommerce comments)?

    Please excuse me for not being a very technical person, hence I need your confirmation.

    Thank you in advance for your reply.

    Best regards,

    #28695

    AITpro Admin
    Keymaster

    That choice is entirely up to you.  You can use both or one or the other.  You would need to check if comments are working or if you are seeing 403 errors logged in your BPS Security Log to determine if comments are being blocked.  I am pretty sure that leaving this line of code below uncommented out without a # sign would allow/not block any commenting functionality in any other plugins.

    # Whitelist Comments POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
Viewing 15 posts - 1 through 15 (of 32 total)

You must be logged in to reply to this topic.