Firewall

This is one of the most important features in the coreSecurity plugin, and it is highly efficient in eliminating all sorts of attacks coming via requests to your website.

To learn more of pros and cons of using standalone Firewall feature, compared to the firewall in .HTACCESS, check out this article: Setting up Firewall.

How the Firewall works

The Firewall works by hooking early into the WordPress request processing, and running series of scanners to determine if the request needs to be stopped. Firewall has two parts: scanner and URL length control.

Scanners

Currently, there are 4 Firewall scanners, 2 are dealing with the request URL, 1 is scanning user agent and 1 is scanning the request referrer.

Request URI

This scanner handles whole request URL without the website domain. Plugin has a long list of predefined regular expressions to run against the URI. If any of the expressions is triggered, plugin will log the event along with the expression that was triggered.

Query String

This scanner handles only query part of the URL (if it is part of the URL). Plugin has a long list of predefined regular expressions to run against the query string. If any of the expressions is triggered, plugin will log the event along with the expression that was triggered.

User Agent

This scanner handles the user agent sent by the source as a part of the request header. Again, there is a long list of predefined regular expressions to run against the user agent. And again, if any of the expressions is triggered, plugin will log the event along with the expression that was triggered.

Referrer

This scanner handles the referrer sent by the source as a part of the request header. This time, the scanner compares referrer domain to the huge list of referrers in the Dictionary that are known for being source of the spam.

URL Length Control

Normal URLs should not be too long in most cases, and if you don’t have some huge filters that build long query strings, extremely long URL can be seen as a sign that URL may be some form of the malicious attack.

Plugin can check the front end and admin side URL for length, and if the length is bigger than allowed value, that will be logged in the database and can be used for a signal to ban the request source IP.

For admin side, it is a good idea to allow longer request, because many WordPress admin side panels can have very long query strings. If you are not sure about this feature, it is best to leave the URL Length Control disabled.

0
0
17
Rate this article

You are not allowed to rate this post.

Leave a Comment