typo's

README.md

@@ -1,10 +1,10 @@
-# Wordpress-hardening-plugin
+# Wordpress-hardening-plugin / modsecurity (CRS4.0+)
 ![Integration tests](https://github.com/eilandert/wordpress-hardening-plugin/actions/workflows/integration.yml/badge.svg) ![Integration tests](https://github.com/eilandert/wordpress-hardening-plugin/actions/workflows/lint.yml/badge.svg)
 
 This plugin contains extra rules to enhance the security of wordpress installations with the OWASP Core Rule Set.
 It's encouraged to install the wordpress-exclusions-rules-plugin as well, as we only add extra blocks in this plugin.
 
-The idea is to enhance the security of WordPress while minimizing the impact on PHP/SQL performance and eliminating the need for additional security plugins without interfering with wordpress or owasp.
+The idea is to enhance the security of WordPress while minimizing the impact on PHP/SQL performance and eliminating the need for additional wordpress security plugins without interfering with wordpress or owasp.
 
 What this plugin does so far:
 - Block xmlrpc.php access (configurable, default: block) (PL1)
@@ -19,15 +19,15 @@ What this plugin does so far:
 - Block nasty files in uploads/* (PL1)
 - Block access to sensitive files like .db/.orig/.sql/.log/.git (PL1)
 - Block access to "/wp-json" (exact match, the api still works) (PL1)
-- Block inclusion attacks on index.php (PL2)
 
 Raincheck list:
 - wp-login.php, lock out ip after $x failures for $y time (configurable)
+= wp-login.php, add geoip option
 - whitelist server ip to access the blocked wp-cron/wp-json/xmlrpc paths
 
 ## Requirements
 - CRS Version 4.0 or newer
-- ModSecurity compatoble Web Application Firewall
+- ModSecurity compatible Web Application Firewall
 
 ## How to install the plugin
 

plugins/wordpress-hardening-before.conf

@@ -8,8 +8,8 @@
 # ------------------------------------------------------------------------
 
 # OWASP CRS Plugin
-# Plugin name: template-plugin
-# Plugin description: Example plugin. Use and adopt this for your own plugins.
+# Plugin name: wordpress-hardering-plugin
+# Plugin description: harden wordpress, minimize php/sql impact
 # Rule ID block base: 9,522,000-9,522,999
 # Plugin version: 1.0.0
 
@@ -57,7 +57,6 @@ SecRule &TX:wphard.block_wpcron "@eq 0" \
   setvar:tx.wphard.block_wpcron=0"
 
 # Check if xmlrpc should be blocked and if not, skip. 
-# (regression test on default)
 SecRule &TX:wphard.block_xmlrpc "@eq 0" \
   "id:9522101,\
   phase:2,\
@@ -73,6 +72,7 @@ SecRule REQUEST_FILENAME "^/xmlrpc\.php" \
   t:lowercase,t:normalizePath,t:trim,\
   tag:'wordpress',\
   tag:'xmlrpc',\
+  tag:'paranoia-level/1',\
   accuracy:'9',\
   maturity:'1',\
   severity:'NOTICE',\
@@ -86,7 +86,6 @@ SecRule REQUEST_FILENAME "^/xmlrpc\.php" \
 SecMarker "END_WPHARD_XMLRPC"
 
 # check if user enumaration should be blocked and if not, skip
-# (regression test on default)
 SecRule TX:wphard.block_user_enumeration "@eq 0" \
   "phase:2,\
   id:9522103,\
@@ -102,6 +101,7 @@ SecRule REQUEST_URI "@rx (author\=[0-9]+)|(wp/v2/users)" \
   t:lowercase,t:normalizePath,t:trim,\
   tag:'wordpress',\
   tag:'enumeration',\
+  tag:'paranoia-level/1',\
   accuracy:'9',\
   maturity:'1',\
   severity:'NOTICE',\
@@ -115,7 +115,6 @@ SecRule REQUEST_URI "@rx (author\=[0-9]+)|(wp/v2/users)" \
 SecMarker "END_WPHARD_USER_ENUMERATION"
 
 # Check if restapi should be blocked and if not, skip
-# (regression test on default)
 SecRule TX:wphard.block_rest_api "@eq 0" \
   "phase:2,\
   id:9522106,\
@@ -132,6 +131,7 @@ SecRule REQUEST_FILENAME "@rx ^/wp-json/.+" \
   tag:'wordpress',\
   tag:'rest-api',\
   tag:'wp-json',\
+  tag:'paranoia-level/1',\
   accuracy:'9',\
   maturity:'1',\
   severity:'NOTICE',\
@@ -144,8 +144,7 @@ SecRule REQUEST_FILENAME "@rx ^/wp-json/.+" \
 
 SecMarker "END_WPHARD_BLOCK_REST_API"
 
-# Check if admin login should be blocked and if not, skip
-# (regression test on default)
+# Check if login 'admin' should be blocked and if not, skip
 SecRule TX:wphard.block_admin_login "@eq 0" \
   "phase:2,\
   id:9522108,\
@@ -161,6 +160,7 @@ SecRule REQUEST_URI "@beginsWith /wp-login.php" \
   t:lowercase,t:normalizePath,t:trim,\
   tag:'wordpress',\
   tag:'admin-login',\
+  tag:'paranoia-level/1',\
   accuracy:'9',\
   maturity:'1',\
   severity:'WARNING',\
@@ -176,7 +176,6 @@ SecRule REQUEST_URI "@beginsWith /wp-login.php" \
 SecMarker "END_WPHARD_BLOCK_ADMIN_LOGIN"
 
 # Check if wpcron should be blocked and if not, skip
-# (regression test on default)
 SecRule TX:wphard.block_wpcron "@eq 0" \
   "id:9522110,\
   phase:2,\
@@ -192,6 +191,7 @@ SecRule REQUEST_FILENAME "^/wp-cron\.php" \
   t:lowercase,t:normalizePath,t:trim,\
   tag:'wordpress',\
   tag:'wpcron',\
+  tag:'paranoia-level/1',\
   accuracy:'9',\
   maturity:'1',\
   severity:'NOTICE',\
@@ -205,13 +205,13 @@ SecRule REQUEST_FILENAME "^/wp-cron\.php" \
 SecMarker "END_WPHARD_WPCRON"
 
 # No direct access to .php files except index.php/wp-admin/xmlrpc/wpcron
-# (regression test)
 SecRule REQUEST_FILENAME "@rx ^(?!.*(?:\/wp-admin\/|(?:^|\/)(index|xmlrpc|wp-cron|wp-login)\.php$)).*\.php$" \
   "id:9522200,\
   phase:2,\
   t:lowercase,t:normalizePath,t:trim,\
   tag:'wordpress',\
   tag:'direct-access',\
+  tag:'paranoia-level/1',\
   accuracy:'9',\
   maturity:'1',\
   severity:'NOTICE',\
@@ -223,13 +223,13 @@ SecRule REQUEST_FILENAME "@rx ^(?!.*(?:\/wp-admin\/|(?:^|\/)(index|xmlrpc|wp-cro
   setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 # No direct access to these files (PL1)
-# (regression test)
 SecRule REQUEST_FILENAME "@pmFromFile wordpress-hardening-files.data" \
   "id:9522202,\
   phase:2,\
   t:lowercase,t:normalizePath,t:trim,\
   tag:'wordpress',\
   tag:'direct-access',\
+  tag:'paranoia-level/1',\
   accuracy:'9',\
   maturity:'1',\
   severity:'NOTICE',\
@@ -241,13 +241,13 @@ SecRule REQUEST_FILENAME "@pmFromFile wordpress-hardening-files.data" \
   setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 # Don't allow other script languages. (PL2)
-# (no regression test yet)
 SecRule REQUEST_FILENAME "@rx .(pl|cgi|py|sh|lua|asp)$" \
   "id:9522203,\
   phase:2,\
   t:lowercase,t:normalizePath,t:trim,\
   tag:'wordpress',\
   tag:'only-allow-php-extension',\
+  tag:'paranoia-level/2',\
   accuracy:'9',\
   maturity:'1',\
   severity:'NOTICE',\
@@ -259,13 +259,13 @@ SecRule REQUEST_FILENAME "@rx .(pl|cgi|py|sh|lua|asp)$" \
   setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 # Deny certain nasty stuff in uploads (PL1)
-# (regression test)
-SecRule REQUEST_FILENAME "@rx ^/wp-content/uploads/.*\.(?:s?html?|js|swf|lua)$" \
+SecRule REQUEST_FILENAME "@rx ^/wp-content/uploads/.*\.(?:s?html?|swf|lua)$" \
   "id:9522205,\
   phase:2,\
   t:lowercase,t:normalizePath,t:trim,\
   tag:'wordpress',\
   tag:'uploads',\
+  tag:'paranoia-level/1',\
   accuracy:'9',\
   maturity:'1',\
   severity:'NOTICE',\
@@ -276,14 +276,14 @@ SecRule REQUEST_FILENAME "@rx ^/wp-content/uploads/.*\.(?:s?html?|js|swf|lua)$"
   msg:'Wordpress hardening: attempt to access wp-content/uploads nasty stuff',\
   setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
-# Deny access to sensitive files (Pl1)
-# (regression test)
+# Deny access to sensitive files (PL1)
 SecRule REQUEST_FILENAME "@rx \.(conf|htaccess|htpass|sql|orig|bak|db|ini|md|log|git|github|swp|DS_STORE)($|/)?" \
   "id:9522206,\
   phase:2,\
   t:lowercase,t:normalizePath,t:trim,\
   tag:'wordpress',\
   tag:'sensitive-files',\
+  tag:'paranoia-level/1',\
   accuracy:'9',\
   maturity:'1',\
   severity:'NOTICE',\
@@ -295,14 +295,14 @@ SecRule REQUEST_FILENAME "@rx \.(conf|htaccess|htpass|sql|orig|bak|db|ini|md|log
   setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 # Deny access to ^/wp-json$ while api keeps functioning (PL1)
-# (regression test)
 SecRule REQUEST_FILENAME "@rx ^/wp-json/?$" \
   "id:9522207,\
   phase:2,\
   t:lowercase,t:normalizePath,t:trim,\
   tag:'wordpress',\
   tag:'sensitive-files',\
   tag:'wp-json',\
+  tag:'paranoia-level/1',\
   accuracy:'9',\
   maturity:'1',\
   severity:'NOTICE',\

plugins/wordpress-hardening-config.conf

@@ -8,9 +8,9 @@
 # ------------------------------------------------------------------------
 
 # OWASP CRS Plugin
-# Plugin name: wordpress-hardening-plugin
-# Plugin description: extra security rules for wordpress installations
-# Rule ID block base: 9,522,000 (range is 1000, thus ID block base +1000)
+# Plugin name: wordpress-hardering-plugin
+# Plugin description: harden wordpress, minimize php/sql impact
+# Rule ID block base: 9,522,000-9,522,999
 # Plugin version: 1.0.0
 
 # Generic rule to disable the plugin
@@ -23,7 +23,6 @@
 #   nolog,\
 #   setvar:'tx.wordpress-hardening-plugin_enabled=0'"
 
-
 #SecAction "id:9522011,phase:1,nolog,pass,t:none,setvar:tx.wphard.block_xmlrpc=1"
 #SecAction "id:9522013,phase:1,nolog,pass,t:none,setvar:tx.wphard.block_user_enumeration=1"
 #SecAction "id:9522015,phase:1,nolog,pass,t:none,setvar:tx.wphard.block_rest_api=0"

tests/regression/wordpress-hardening-plugin/9522205.yaml

@@ -34,7 +34,7 @@ tests:
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             port: 80
             method: GET
-            uri: /wp-content/uploads/test/test/test/test/test/test/test/test/test/test/test/test.js
+            uri: /wp-content/uploads/test/test/test/test/test/test/test/test/test/test/test/test.php
             data: |
               text
           output: