Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save tripflex/1bf576f4d73f13edd42e to your computer and use it in GitHub Desktop.
Save tripflex/1bf576f4d73f13edd42e to your computer and use it in GitHub Desktop.
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyLimitAction ProcessPartial
SecResponseBodyMimeType text/xml
<FilesMatch "xmlrpc.php">
# Block brute force attempts using xmlrpc.php as the vector
# Increment our counter when the xmlrpc API indicates a failure
SecRule REQUEST_BODY "wp\.getUsersBlogs" "id:13504,deny,chain,status:406,\
phase:4,t:none,t:urlDecode,chain,deny,\
msg:'xmlrpc.php call failures triggered temporary block'"
SecRule RESOURCE:xmlrpc_bf_block "@gt 0"
SecRule RESPONSE_BODY "faultString" "id:13505,nolog,\
phase:4,t:none,t:urlDecode,\
setvar:RESOURCE.xmlrpc_bf_counter=+1,\
deprecatevar:RESOURCE.xmlrpc_bf_counter=1/300"
SecRule RESOURCE:xmlrpc_bf_counter "@gt 2" "id:13506,nolog,\
setvar:RESOURCE.xmlrpc_bf_block=1,\
expirevar:RESOURCE.xmlrpc_bf_block=900,\
setvar:RESOURCE.xmlrpc_bf_counter=0"
</FilesMatch>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment