Blocking with Firewall Rules

I am not for sure if I am doing this right. The entry at the bottom doesn’t seem to be working.

Hi @HokeyDokey,

You should change the expression to URI Path contains //.
URI Path equals *//* will match paths that are exactly *//* - not paths containing //.

Thank you for your reply. So would this block for example, so with the URI path being ‘//’, would this block //xmlrpc.php? Or should I use something else like URI query string with //? A double // is when most of my attacks occur and would blocking this interfere in any way with Wordpress?

Add OR with below to your existing Firewall Rule if you want to block HTTP requests to the WordPress XML-RPC (usually known for DDoS, etc.):

  • or (http.request.uri.path contains "xmlrpc.php")

With which // would you like to catch what exactly? Before http(s) or something after yourdomain.com - like if someone runs penetration testing so it test something using double slash // in the URL?

Should this be normalized at Cloudflare or the origin, or you wan to block requests which containt any // or ../ part after the https://yourdomain.com/now-here//-something, etc.?

Regarding WordPress Firewall Rules & Security, may I suggest:

That is correct fritex. When pen testing or attacks are being performed, I see two forward slashes (//) after the domain name (eg., domainname.com // (url authors usually or xmlrpc.php)). I just want to block the // double forward slashes.

May I ask are you only testing Web related things, or even the doing port scanning?

In case if needed for some more information:

Therefore, you would have to use http.request.full_uri in your Firewall Rule like the example from below:

(http.request.full_uri contains "https://www.youurdomain.com//xmlrpc.php")

The above rule would block https://www.youurdomain.com//xmlrpc.php, but it’s not as secure as possible (at least from my point of a view) as far as it would still be availble to request the https://www.youurdomain.com//xmlrpc.php due to the URL normalization.

So, even combine the above example + if uri.path contains xmlrpc.php to cover and block both examples.

Final one example (combined) - if I understood you correctly what you want to achieve:

(http.request.full_uri contains "https://www.youurdomain.com//") or (http.request.uri.path contains "xmlrpc.php")

There is also a solution to use Cloudflare Workers, if interested into it.

Furthermore, if you are using some paild Cloudflare plan, like for example Pro plan, which offers Managed WAF Rules, there you can enable Managed WAF rule with the ID 100053 to achieve this too.

Otherwise, using regular expressions which only work on a Business Plan as far as I know.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.