I have recently been scanning over my logs and doing my best to harden up my wordpress install.
I just discovered something of interest and something I thought I should not really be seeing.
While physically observing my live (local security logs) wordfence I am discovering some hits to a URL I was quite sure should not actually be reachable via a “Contains” WAF rule
In my live local logs Ijust discovered while watching them the following
I was suprised to see such a request reach my local site logs while I am not showing any activity on the following WAF rule as it should be blocked these using “contains”
Sure, because your ands require the path to contain all these values, which is unlikely and also not the case here. You need or instead, however make sure that it properly placed, in particular because of your IP address. So you can’t just replace them but make sure the expression is properly formatted.
For example (path or path or path or path) and ip not.
But again, the documentation should have most on that as well as the search.
I am not really sure of anything you said to be honest
From my understaing. If it was “equals” of course it wont work. However, using 'contains" from my underdstanding that anything that contains /wp-login.php should get blocked.
The reason I find the information you provided very conficting is due to this, Any why I thought this should have been working just fine.
(http.host contains “mydomain.com” and not cf.edge.server_port in {80 443}) or (http.request.uri.path contains “cpanel” and ip.src ne x.x.x.x) or (http.host contains “cpanel.domain.tld” and ip.src ne x.x.x.x
Using the rule above for something else I have. Actually totally blocks an article URL I have my site that contains the word cpanel in the url. It is there to block people from getting to my cpanel via the standard cpanel port number on the end of cpanel hosted domains,
It contains. “Contains”
.cpanel-and-the-file-transfer-protocol-ftp/
So. This is why I say the info provided and the “contains” rule seems toi do conflicting things as per documentation
So if " Contains" is blocking a wordpress post that I have on my site about cpanel and the word cpanel is in the URL then I would have thought that using “Contains” would also be blocking anything that contains wp-login.php.
I am sorry, but I really can’t follow what you just said. Where does the host or the proxy port come in in any of that?
We were talking about your expression and that you cannot use ands because this defines an expression, which cannot evaluate to true with your requests. The obvious solution is to fix this and use the proper ors instead, which is what I mentioned.
Again, please do pay attention to the documentation as that is all explained there as well, in particular precedence, which you will also have to use because of your IP restriction.
The expression you posted with the port is very different and follows a completely different approach. There and works, in yours it does not I am afraid.
Our current rules says if the URL contains foo AND the URL contains bar and the URL contains another thing and the source IP address IS not x.x.x.x. All of those ANDs can’t be true… well they can be, but you’re expecting them signularly to be true, which is why as @sandro mentioned they should be ORs.
Regex can be complicated even when people understand how regex works. There are online regex testers where you can use a sample string to see if your rule matches a particular phrase/string. It’s probably best to use one of those to validate the logic of your expression is correct before implementing a rule.
But seriously, I am not sure where regular expressions came in, but, @matthew.giannelis, I am sorry I’d strongly advise you stay away from regular expressions for the time being, if you are not even familiar with fundamental boolean logic. Regular expressions are quite handy and can be beautiful, but it takes experience and if you are confused by basic boolean operators, they will certainly not contribute to further clarity. Also, they are not available on Pro plans.
