Security WAF Custom Rule

Last week I setup custom rules blocking access to urls containing wp-admin and wp-login AND country NE the US.

Apparently some still get thru. I wonder why.

rule 1 (http.request.uri contains “wp-admin” and ip.geoip.country ne “US”)
rule 2 (http.request.uri contains “wp-login” and ip.geoip.country ne “US”)

Wordfence flagged it

Have you secured your origin server against direct requests?

That would WP engine and no I haven’t. I went ahead and created DENY rules there for wp-login and wp-admin

I also don’t fully understand risk/benefit of allowing XML-RPC but seems many of the requests use that so I went ahead denied XML-RPC

I doublechecked I am ok to login and will watch/log for a few days.

1 Like