/old/wp-admin/setup-config.php

Hi anyone had attacks to wordpress sites like this below ? they have old or test or anyname and just attack them. anyway of stopping these with comodo ?

/old/wp-admin/setup-config.php
/test/wp-admin/setup-config.php

You can use “userdata_bl_URLs” file for these purposes.

Could you explain how i do this please. i also see loads of attacks on wp-login could do with tightening the rule to stop them

/old/wp-admin/ and /test/wp-admin could be placed in Comodo WAF - Userdata - Blocked URLs
It should resolve this issue.

Hi so put them in userdata_bl_URLs like this below is that correct

Put your blacklist of URL pathes here

Only IPs from whitelisted list will be allowed to visit these URLs

/old/wp-admin/
/test/wp-admin

Yes, you are right.

Thanks something new i have learnt. can you tell me how i make the rule for wp-login tighter getting loads of attacks for some reason.

Hi still getting attacks on these URLs can you tell me do i need to add the full path like /wp/wp-admin/setup-config.php because i only added /old/wp-admin last time

Hi, I’ve tested your case and everything works fine, you can add any part of path to block that request, so simple string “/setup-config.php” (without quotes) in userdatat_bl_URLS should do the job.

Hi so i can just add /setup-config.php that will work for any name in front ? but i did get an high laod still might be bacuse they attacked all the wordpress sites on the server ? how fast does it block them and can i change to block them faster.

Correct. Access to this page should be blocked immediately after web server restart for all IPs which not belongs to userdatat_wl_IPs file.

Hi sorry to reply to this old topic, but all the blocked links i put in userdata_bl_URLs have all gone only noticed because i started getting attacks again. Any idea why they have all gone i can’t remember whiat i added so got to do all the servers again now.

/setup-config.php
/old/wp-admin
/test/wp-admin
/wp-login.php

Hi. It possible userdata files could be overwritten whith update to new version of rules, you should perform backup for your userdata files. Also please make sure that your userdata files doesn’t contains ‘\r\n’ but only ‘\n’.

Thanks but where would i find the backup files ?

You should backup files by yourself and save them in other place than CWAFs rules folder or /usr/local/cwaf/etc/userdata.

Only just seen this i never backed them and it’s done it again. but why does an update keep removing them

Are you sure that this happens only after rules updates?
Please provide information about your web server, hosting panel, modsecurity, CWAF plugin and CWAF rules versions.
Also please provide information how the CWAF plugin installed (standalone mode or as hosting manager plugin) if it installed.
If rules installed without plugin - userdata files will be owerwritten.
Regards.

Yes installed via WHM i use to have the plugin installed but removed it and can’t remember why

Plugin was removed may be because of issue with WHM 70.0+ and CWAF plugin. v2.23 is stable now.

If rules installed without plugin (as modsecurity vendor ) - userdata files will be owerwritten with every update.

I recommend you to install CWAF plugin v2.23

Ok could you tell me the best way to unistall the WHM one and steps to install new plugin please also will i have to enable anything or is ready to go.

PS what you mean WHM 78.0+ ? 78 is not out i am using v72.0.10