Hey @thinqlabs,
Can you please share the contents of your htaccess file?
Have you had a chance to look at our documentation regarding setting Wordfence up with Cloudflare? You’ll want to adjust How Wordfence Gets IPs to work correctly with it.
CF-Connecting-IP
https://www.wordfence.com/help/dashboard/options/#general-wordfence-options
Please let me know how it goes.
Thanks,
Gerroald
hi thanks for the quick reply. I added the following to the standard .htaccess
# Blocks some XSS attacks
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* index.php [F,L]
</IfModule>
# Restricts access to PHP files from plugin and theme directories
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ – [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ – [R=404,L]
# Protect Against SQL Injection
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ – [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|”|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*WordPress_logged_in_.*$
RewriteRule ^(.*)$ – [F,L]
</IfModule>
I will have a look at the CF-Connecting-IP thing tongiht
thanks again
sigh the hacker keeps on coming.. i just got a Wordfence Admin Login alert from an ip in a different country. There is only one admin account on my wordpress, I don’t know how this happened, I just quickly did a “Deny for all” to put my website offline until i figure out how. All these php/sql injections attacks and stuff really intensified in the past few months. Is this type of hacking normal for the average website, or do I have some online enemies?
please ignore the previous post, the ip was through a CDN that was why it looked different lol
Hey @thinqlabs,
Did adjusting your How Wordfence Gets IPs for Cloudflare help?
Please let me know.
Thanks,
Gerroald
Hey @thinqlabs,
We haven’t heard back from you in a while, so I’ve gone ahead and marked this thread as resolved.
Please feel free to open another thread if you’re still having issues with Wordfence.
Thanks,
Gerroald
