waf4wordpress
waf4wordpress copied to clipboard
szepeviktor
WAF for WordPress 🔥 with 60+ security checks and weekly updates
```php add_action( 'comment_post', array( $this, 'comment_spam' ), 10, 2 ); add_action( 'wp_set_comment_status', array( $this, 'comment_spam' ), 10, 2 ); add_filter( 'xmlrpc_pingback_error', array( $this, 'xmlrpc_pingback_error' ), 1 ); ``` https://github.com/thebrandonallen/wp-fail2ban-redux/blob/develop/wp-fail2ban-redux/classes/class-wp-fail2ban-redux.php#L99
- [ ] **robots & errors in /wp-comments-post.php (as in block-bad-requests.inc)** - [ ] non-attack 404: `logsearch.sh -e wpf2b_404|sed -ne 's|.*wpf2b_404 (s:[0-9]\+:"\([^"]*\)";).*|\1|p'|grep -vx "/[a-z/-]\+/\|.*\.jpg"|sort` + non-ascii post slugs - [...
- [ ] How to restrict AJAX content type? - [ ] Block CDN attacks by what method? - [ ] order of headers to identify attackers - [ ]...
https://github.com/10up/10up-experience/blob/develop/includes/classes/Authentication/Usernames.php#L56
`"Transfer-Encoding": "chunked"` `bad_request_post_content_length` https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Transfer-Encoding#directives
```php // FIXME Allow transfer encoded requests if (! empty($_SERVER['TRANSFER_ENCODING'])) return false; ``` > [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) disallows all uses of the Transfer-Encoding header other than the HTTP/2 specific: "trailers". https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Transfer-Encoding
? https://developer.wordpress.org/reference/functions/rest_do_request/
Metadata
Owner
Metadata
WAF for WordPress 🔥 with 60+ security checks and weekly updates