POST Request Protection|POST Attack Protection|POST Request Blocker

[Johnny]

Hi,

I have Wordfence enabled as well (everything except login security) and I recently found this in my BPS security log after enabling the post-request blocking additional code:

[403 POST Request: March 15, 2017 10:44 am]
BPS: .54.5
WP: 4.7.3
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 69.46.36.20
Host Name: noc4.wordfence.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /?_wfsf=detectProxy
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.82 Safari/537.1
REQUEST BODY: ips%5B0%5D=69.46.36.20&nonce=cce20c75fd9186a85d4febaa1102be4e4bbe812e547e4783c95312c5f7c18caa

It seems to be from Wordfence. Is there any information about what this could be, and if so what should be done about it? Thanks!

[AITpro Admin]

@ Johnny – Probably a Query String whitelist rule is what is needed.

# Whitelist Wordfence POST Request by Query String
RewriteCond %{QUERY_STRING} !^_wfsf=(.*) [NC]

[Rami M]

If I want to block out all post attacks, and have no JetPack or anything to allow, should the code be like this?

# BPS POST Request Attack Protection
# RewriteCond %{REQUEST_METHOD} POST [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
# Whitelist WP JSON POST Requests by Query String
#RewriteCond %{QUERY_STRING} !^_locale=(.*) [NC]
# Whitelist the WordPress Theme Customizer
#RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
# Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
# RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
# Whitelist Jetpack JSON POST Request
# RewriteCond %{REQUEST_URI} !^.*/wp-json/jetpack/(.*) [NC]
# Whitelist Network|Multisite Signup POST Form Requests
# RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
# Whitelist Network|Multisite Activate POST Form Requests
# RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
# Whitelist Trackback POST Requests
# RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
# Whitelist Comments POST Form Requests
# RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
# Example 1: Whitelist Star Rating Calculator POST Form Requests
# RewriteCond %{REQUEST_URI} !^.*/star-rating-calculator.php [NC]
# Example 2: Whitelist Contact Form POST Requests
# RewriteCond %{REQUEST_URI} !^.*/contact/ [NC]
# Example 3: Whitelist PayPal IPN API Script POST Requests
#RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
RewriteRule ^(.*)$ - [F]

[AITpro Admin]

You do not want to comment out this line of the code: # RewriteCond %{REQUEST_METHOD} POST [NC] – This is the condition that checks if the Request Method is a POST Request.  Other changes to your code may cause problems for other things (WordPress, Plugins and Themes).  So check your Security Log frequently for things that are blocked that you do not want blocked.

[Author]

Posts