4 must have firewall rules for WordPress

Jun 11, 2020 articles, code, wordpress

So many bots scanning your server even if you aren’t WordPress but if you are running WordPress here are 4 must have rules to help block attacks and save server bandwidth.

First you need to rename your login url. A plugin will handle this for you, I recommend iTheme Security. The free version works fine.

Second you need to sign up for cloudflare, again free account works fine here.

Once those two things are done and configured. Go into the fire wall rules and you get 5 free rules with their free plan.

Block xmlrpc (if you use an app or plugin that needs this you can set the IP to have access which this rule will need adjusted)

(http.request.uri.path contains "xmlrpc.php")

Block login page (now that you have renamed it)

(http.request.uri.path eq "/wp-login.php" and not http.request.uri.query contains "itsec-hb-token")

Block remote comments

(http.request.uri.path eq "/wp-comments-post.php" and http.request.method eq "POST" and not http.referer contains "webbernaut.com")

Block plugin scans (change to your domain)

(http.request.uri.path contains "/wp-content/plugins/" and not http.referer contains "yourdomain.com" and not cf.client.bot)