Zone lockdown still allowing access to restricted URL

Hello

After conducting a hyperlink audit with a tool called screaming frog I become alterted to some unprotected URLS being generated.

What I found.

I found URLS on my site were being generated against the URL names of many recent wordpress posts.

EG.

https://www.techbusinessnews.com.au/wp-login.php?redirect_to=https%3A%2F%2Fwww.techbusinessnews.com.au%2Fnews%2Fmicrosofts-azure-bot-framework-saves-nab-12-million%2F

As you can see. There is post name in that url

I found many of these.

I have both my wp-admin and wp-logon.php URL added to the zone lockdown area and restricted to my IP only. I was alarmed when I found I was able to visit the above URLs with any computer or IP address which took me directly to my wordpress login page.

After this discovery. I have now gone in and created a manual WAF rule to specify (If contains) and used /wp-login.php This stopped the access to these odd generated URLs detected by the screamingfrog seo tool.

My question. Should have the zone lockdown not taken care of this by default?

Update -

Now that I have just added - if contains in manual rule I can now see almosts 40 attempts to access these URLS

Can I ask, why was the zonelock down not blocking these?

What does the rule itself look like?

If you want to block access to wp-login by IP address, it’d be better to use a Firewall Rule for URI Path Contains “wp-login”, and IP Adddress NOT IN (your list).

1 Like

Hi there

Thanks for gettting back to me.

The problem is not with the rule.

The problem is that I actually had to make a rule in the first place because the zone lockdown did not protect these odd URLS. I would have thought it shoud have.

/wp-admin
/wp-logon.php
ect ect

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.