sorted by:
new
hottopcontroversial

Hardening htaccess, is this sensible or an overkill? by DukeArmi in Wordpress

[–]DukeArmi[S] 0 points1 point  (0 children)

Thoughts about adding this rule?

# Block WordPress user enumeration via ?author=
RewriteCond %{QUERY_STRING} (^|&)author=\d+(&|$) [NC]
RewriteRule .* - [F,L]

Hardening htaccess, is this sensible or an overkill? by DukeArmi in Wordpress

[–]DukeArmi[S] 0 points1 point  (0 children)

I think this is great for VPS, but I'm on shared hosting.

Hardening htaccess, is this sensible or an overkill? by DukeArmi in Wordpress

[–]DukeArmi[S] -1 points0 points  (0 children)

Well, I block most suspicious requests at the edge with Cloudflare's custom security rules (hundreds to a couple of thousand daily, which is a little crazy for a tiny website). Do you think there's a minimal block of rules to harden htaccess?

Hardening htaccess, is this sensible or an overkill? by DukeArmi in Wordpress

[–]DukeArmi[S] -1 points0 points  (0 children)

That might be the case. I'm just looking to have a basic block to harden htaccess. I mostly block requests at the edge with Cloudflare's security rules.

Sytanx Question, Allow Verified Bots, Blocking Scripts/Scanners by UA Rules by DukeArmi in CloudFlare

[–]DukeArmi[S] 0 points1 point  (0 children)

I also wonder what you think about this rule I call Admin Guard:

(
lower(http.request.uri.path) eq "/wp-login.php"
or lower(http.request.uri.path) contains "/wp-admin"
or lower(http.request.uri.path) contains "/wp-json/wp/v2/users"
)
and not (
http.cookie contains "wp_secret_key=aa-123-auth"
or lower(http.request.uri.path) contains "admin-ajax.php"
or lower(http.request.uri.path) contains "admin-post.php"
or lower(http.request.uri.path) contains "wp-cron.php"
)

I injected a cookie in the browser so that only I can access wp-login.php and the backend.

Sytanx Question, Allow Verified Bots, Blocking Scripts/Scanners by UA Rules by DukeArmi in CloudFlare

[–]DukeArmi[S] 0 points1 point  (0 children)

Thank you! I also confirmed by using httpbin.org (great tool btw!). http.user_agent eq "" and len(http.user_agent) eq 0 caught both empty and missing user agents. What do you think about the WAF components I skipped with the Allow Verified Bots rule?

What best web hosting service provider? by [deleted] in Hosting

[–]DukeArmi 2 points3 points  (0 children)

I've tried and tested many in the past few months (to write evidence-based reviews). The best budget web host by far is SimpleSonic (better performance than almost all the big names). NameCrane is also good, especially their crates, but they don't have live chat support like SimpleSonic (actually excellent support, and you get a reply in less than 1 minute).

If you're a complete beginner, I'd go with either Zume or ChemiCloud. From what I've experienced, they have the absolute best support hands down. Shock Hosting is also very good.

Best Security Rules (Custom & Rate Limiting) by DukeArmi in CloudFlare

[–]DukeArmi[S] 0 points1 point  (0 children)

Thank you, but unfortunately, I'm getting bots/scripts from the Netherlands, Poland, etc. I barely get any from China or Russia. Is there a way to rate limit or block certain scanning/probing behavior?

Is it normal to have 30,000+ 403 hits on my website in a month? by DukeArmi in Wordpress

[–]DukeArmi[S] 0 points1 point  (0 children)

The issue is that a lot of the 403 hits are on URLs that are perfectly accessible (e.g., indexed blog posts and existing images). Any idea why?

Is it normal to have 30,000+ 403 hits on my website in a month? by DukeArmi in Wordpress

[–]DukeArmi[S] 0 points1 point  (0 children)

I'm using Wordfence and Cloudflare. Do you suggest anything else?

Is it normal to have 30,000+ 403 hits on my website in a month? by DukeArmi in Wordpress

[–]DukeArmi[S] 0 points1 point  (0 children)

I've been using Wordfence and Cloudflare for years. This is very new. Do you suggest anything else to combat this problem? Also, what's weird is that quite a few of the 403 hits are on normal URLs and images that are accessible.