How to block /wp- related url requests?

Hello,

The usual script kiddies running long lists with requests to /wp- urls, see two examples:
\wp-includes
\wp-content

There are many, many, many variations of these “\wp-…” urls they are trying.

I want to block EVERYTHING that is “\wp-…” related but I could not find how to use variables in such a string?
Do I need to select URL Path in WAF and can I use something like this as the Value: \wp-*
Please let me know the correct WAF statement for Field and Value.

Custom WAF Rules do not support wildcard characters. I just use something like this without any issues:


You could block .php the same way as well to cover a bit more.

If you wanted to more strictly match just paths that start with /wp-, you can click “Edit Expression” and pop into the custom expression editor, and use something like:
(starts_with(lower(http.request.uri.path), "/wp-"))
or case-intensive contains wp-
(lower(http.request.uri.path) contains "wp-")

2 Likes

Hi @temporalis, your topic has a solution here.

Let us know what you think of the solution by logging in and give it a :+1: or :-1:.


Solutions help the person that asked the question and anyone else that sees the answer later. Login to tell us what you think of the solution with a :+1: or :-1:.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.