{"id":1218,"date":"2025-10-10T10:22:50","date_gmt":"2025-10-10T08:22:50","guid":{"rendered":"https:\/\/doublepanic.com\/?p=1218"},"modified":"2025-10-10T10:22:55","modified_gmt":"2025-10-10T08:22:55","slug":"quick-and-dirty-wordpress-waf-protection-for-the-extremely-outdated","status":"publish","type":"post","link":"https:\/\/doublepanic.com\/?p=1218","title":{"rendered":"Quick and dirty WordPress WAF protection for the extremely outdated"},"content":{"rendered":"<p>I&#8217;m not disclosing <em>at all<\/em> that this WP you are poking to is outdated. This is for you who cannot update yours due to surely very reasonable reasons, are receiving a lot of spam attacks these days, and cannot raise a WAF for surely equally reasonable reasons<sup>*<\/sup>.<\/p>\n<p>A shallow review of the attacking calls shows that targets are <strong>wp-login.php<\/strong> for bruteforce and spraying attacks and <strong>xmlrpc.php<\/strong> for whatever vulnerabilities WP expose now.<br \/>\nSo, why not to protect these files with cheap dirty left-me-along-I-have-a-life basic authentication?<\/p>\n<p>Put this into your site&#8217;s .htaccess (inside <VirtualHost> ), your \/etc\/sites-enabled Apache config file or whatever controls your site.  <\/p>\n<blockquote><p><code><br \/>\n    &lt;Files xmlrpc.php&gt;<br \/>\n    \t&nbsp;\tAuthType basic<br \/>\n    \t&nbsp;\tAuthName \"no spam\"<br \/>\n   \t&nbsp;\tAuthUserFile <em>\/etc\/apache2\/mysite_passwords<\/em><br \/>\n    \t&nbsp;\tRequire valid-user<br \/>\n    &lt;\/Files&gt;<br \/>\n    &lt;Files wp-login.php&gt;<br \/>\n    \t&nbsp;\tAuthType basic<br \/>\n    \t&nbsp;\tAuthName \"no spam\"<br \/>\n  \t&nbsp;\tAuthUserFile <em>\/etc\/apache2\/mysite_passwords<\/em><br \/>\n    \t&nbsp;\tRequire valid-user<br \/>\n    &lt;\/Files&gt;<br \/>\n<\/code><\/p><\/blockquote>\n<p>You not using Apache? Oh snap!<\/p>\n<p>Now add some users to that mysite_passwords (choose your own) and assign passwords:<\/p>\n<blockquote><p><code>htpasswd -c \/etc\/apache2\/mysite_passwords happy_user_name<\/code><\/p><\/blockquote>\n<p>Reload your Apache server config. Honor the permissions, they are for your security.<\/p>\n<blockquote><p><code>\/etc\/init.d\/apache2 restart<\/code><\/p><\/blockquote>\n<p>And now, first time you&#8217;ll try to login it will ask you for the server password before WP login and that last browser session. If you are admin or use xmlrpc for anything, I recommend go to http:\/\/yoursite\/xmlrpc.php to authenticate before using it. Also, modify any application including the basic unsecure authentication in URL, say http:\/\/user:pass@yoursite\/xmlrpc.php.<\/p>\n<p><ol>\nCaveats:<\/ol>\n<li>Two passwords (could be the same, but&#8230; Please no.)<\/li>\n<li>Cumbersome for users<\/li>\n<li>Potentially problematic<\/li>\n<li>Plain shit<\/li>\n<p><\/p>\n<p><ol>\nBenefits:<\/ol>\n<li>No spam for now<\/li>\n<li>You can go upstairs for dinner at last<\/li>\n<p>&NewLine;&NewLine;&NewLine;&NewLine;&NewLine;&NewLine;&NewLine;&NewLine;&NewLine;&NewLine;&NewLine;&NewLine;<\/p>\n<p><sup>*<\/sup> Indolence is a perfectly valid one.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;m not disclosing at all that this WP you are poking to is outdated. This is for you who cannot update yours due to surely very reasonable reasons, are receiving a lot of spam attacks these days, and cannot raise a WAF for surely equally reasonable reasons*. A shallow review of the attacking calls shows [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"_links":{"self":[{"href":"https:\/\/doublepanic.com\/index.php?rest_route=\/wp\/v2\/posts\/1218"}],"collection":[{"href":"https:\/\/doublepanic.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/doublepanic.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/doublepanic.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/doublepanic.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1218"}],"version-history":[{"count":18,"href":"https:\/\/doublepanic.com\/index.php?rest_route=\/wp\/v2\/posts\/1218\/revisions"}],"predecessor-version":[{"id":1236,"href":"https:\/\/doublepanic.com\/index.php?rest_route=\/wp\/v2\/posts\/1218\/revisions\/1236"}],"wp:attachment":[{"href":"https:\/\/doublepanic.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/doublepanic.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1218"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/doublepanic.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}