How to block wordpress search results?

As title. I want to protect my website from ddos attack and so I want to block every access to urls like: domain/?s=*
where * is whatever term the attacker may use.

So I want to ask if this is correct:
URI → is equal to → /?s=*

tl;dr does the * works for what I’m trying to achieve or should I use something else?

Thank you

As long as there aren’t other query strings that end with an ‘s’, then this Firewall Rule should work:

(http.request.uri.query contains "s=")

2 Likes

Thanks

1 Like

I have a query that has status= in it and it’s blocked

Add another condition in that rule for AND URI Query String does not contain “status”

2 Likes

He is targeting the search form right now but somehow he is bypassing the cloudflare Firewall. Any idea what I could do?

For the firewall to be effective, your server needs to block any requests not coming from the cloudflare.com/ips list.

1 Like

Hello, I’m getting ddossed right now and he is targeting the search function of wordpress. The weird thing is, I blocked every request from the cloudflare firewall but (How to block wordpress search results? - #4 by jeansureau98)
but somehow he is bypassing it. Any idea why?

I followed this tutorial: Using IPTABLES to Require CloudFlare for All HTTP/HTTPS Traffic
But doesn’t work

The best way to test this is to try this from command line on your home computer:

curl -svo /dev/null https://example.com --connect-to ::123.123.123.123 (but use your server’s real IP address).

It should block your request since you’re going direct.

1 Like

I get a failed to connect: connection timed out

But after that, I can see on my log that some traffic is still accessing my website and doing the search ddos.
I tried both enabling the under attack mode, setup the firewall on cloudflare to block that search request, I disabled the search function within wordpress, now it shows a 404 page instead, enabling the bot fighting, but nothing, they can still access my site and doing the research and bring down my vps

For example as I said yesterday I blocked the whole noth america continent, so how can this IP 207.244.227.169
still access and make the research?

Try enabling URL Normalization:

1 Like

Just done.
Didn’t stop them.
They keep pushing the same url and bringing my vps down

Try something like this for now:
(http.request.uri.path eq "/" and not http.request.uri.query contains "status")

That should block all searches. It’ll probably block some other stuff, but it may help track down how they’re getting around the firewall.

1 Like

This worked, thank you! In the meanwhile I also upgraded to the pro plan.
Now what to do next? Since this is a temporary solution since may block something else?
Also this is the third attack in 24 hours under different targets on my website (all through HTTP(s)), So I expect more maybe

(also I’m time limited to reply on the forum)

Now take a closer look at the search queries that have been blocked. It should show you the query string that wasn’t being blocked by our “s=” attempt, or…hopefully…something else they all have in common.

2 Likes

My bad. Thanks.
I think I noticed now and apparently this may have been my mistake.
I blocked this query string initially: /?s

While after double checking now, you told me to block ?s

Indeed the query string that is blocked with the / URI now, all start the query string with ?s and not with /?s

Can you confirm me this little missed detail allowed them to bypass the firewall?

The query string should be: s=
The question mark itself means that the stuff after that is the query string.

2 Likes

Hello, this is lasting from 12 hours now. Will this ever stop? Also on the firewall on the top events by path, the most hit path is / how is this possible since every request is a uri string search?