the bad URL would trigger modesec which in turn would add the IP to the firewall.
modsec doesnât add ips to firewall. logs and blocks requests (webserver level eg 403 error). itâs a âweb application firewallâ.
IDS (eg fail2ban) or some other IPS/IDS reads logs and adds ips in system firewall.
to me this seems to be a circular route. bad actor has got past the firewall (jail) then gets to run webserver then php code then gets looped back to the firewall 
why php? just master fail2ban or its substitute.
So if a user has their server configured well and then I write a wordpress WAF that can scan for real world threats from live feeds which can also block IP addresses direct the server then this would be a good additional to a users current server setup.
just block xmlrpc.php and wp-config-sample.php in web server (if you donât use those) and set fail2ban to trigger firewall blocks on those hits .. add wp-fail2ban if you want to block user enumerations too.
thatâs ~90% protection for wordpress sites.
2c.
Is this a big attack vector, just for my information. I know the other one is.
not big. todays example, got 154 xmlrpc hits in the past hours for some small wp sites, and just 1 for wp-config-sample.
but some misconfiguration/bad wp-config.php copy/whatever, could contain actual user/db details inside this file, why risk it? noone should access this file anyway.
Code one .. you will need either shell_exec or exec enabled. I have already written this code, if you want I can give you access to the code
Sounds cool, I would not mind having a look. I did not think of shell_exec() as this is usually of on shared servers.
Thanks
Virtualmin WP Workbench can already do this as part of protecting the WP Admin dashboardâwith just one click of the save button. No need for fancy PHP plugins.
1 Like
Gotcha, but I use Joomla 
I might move to wordpress but the codebase is very limiting. It is mostly procedural and not OOP and it still shows very strong.
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.