Firewall expresssion to block

Hello, appealing to your knowledge I am consulting you for something that until now I have not been able to solve.
My site doesn’t use WordPress, but logs show hundreds of WP site entries per hour … example: …/wp-includes/wlwmanifest.xml … /.env /blog and much more variants … etc. etc etc…
I have blocked this with the expression: (http.request.uri.path contains “/wp-includes”) and so on.
BUT … if the path starts with // the expression doesn’t work even if it contains the word…example: //2020/wp-includes/wlwmanifest.xml
What expression should I use to block routes that start with // ???
Thank you.

How do I check?

I just checked this and:
All routes that start with / are perfectly blocked.
But the ones that start with // are not blocked.


Not Blocked

With the /wp- it should be blocking but no …

Head into the Rules section of the dashboard and enable Normalize URLs. That should fix it.

Thanks, in that section I only had selected “Normalize incoming URLs”, now activate what was missing: “Normalize URLs to origin”.
Thanks for your responses and I’ll see …

I’m not sure what the rest of that rule looks like, but I bet it’s important because you don’t want to block everybody from wp- resources.

My website is created with Opencart, no route related to WP interests me.
Thanks, as always!

Now It shows as action taken… Js Challenge. Not blocked…

Now it works perfectly because I disabled “Bot Fight Mode
The expression used works for path with “//” when having Bot Fight Mode disabled.
Thanks to all

Hi!!, I have 2 questions…

Question 1:
I have thousands of user agents with this data …
Instead of blocking one by one … could I use the expression: (http.user_agent contains “Python”) and block in bulk? or is it case sensitive? or must use the full user agent?

Question 2:
It happens to me that thousands of thousands of logs lead to the WP path, my site is not with WP and there are no such paths on my site.
The vast majority blocked them with the following expression:
(http.request.uri.path contains “/wp-”)

Others like /admin and /administrator also appear…
Would using the following expression block both at the same time?
(http.request.uri.path contains “/admin”) or must be full text…?

The same thing happens to me with /new and /news … /blog and /blogs

I don’t want to generate so many entries in the firewall to make everything more verbose. It would be to abbreviate the terms but to monopolize the great majority.

Any links to learn exactly how to use the expressions?

Thank you very much!!

You can catch all the pythons with this:
(lower(http.user_agent) contains "python")


Another post today is using that rule successfully, but had to turn on normalization.
So you can do the same with /admin, /new, /blog

You can chain all these together in one big firewall rule with a bunch of OR statements.

More than you can imagine:

1 Like