Reply To: POST Request Protection|POST Attack Protection|POST Request Blocker

Hi, I have some Qs about the code
[existing code was deleted – no need to repost the existing code in this Topic as a reference]
Qs are:
1) in the RewriteRule, why do ^(.*) when we do not care what the request is and could just match against ^ instead?

2) where are the [OR] flags? (also, there is no [NC] in your example for /wp-admin/customize.php)
…as is it seems to me that this won’t work:
from https://httpd.apache.org/docs/current/mod/mod_rewrite.html

‘ornext|OR’ (or next condition)
Use this to combine rule conditions with a local OR instead of the implicit AND. Typical example:

RewriteCond "%{REMOTE_HOST}"  "^host1"  [OR]
RewriteCond "%{REMOTE_HOST}"  "^host2"  [OR]
RewriteCond "%{REMOTE_HOST}"  "^host3"
RewriteRule

Without this flag you would have to write the condition/rule pair three times.

( also found a very nice answer at http://stackoverflow.com/a/31572003 )
…yet I assume that you’ve tested your code, and that you generally know more than I do about htaccess =)
…still, it seems to me that it should be something like this

# BPS POST Request Attack Protection
RewriteCond %{REQUEST_METHOD} POST [NC]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC,OR]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC,OR]
# NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC,OR]
# Whitelist the WordPress Theme Customizer
RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC,OR]
# Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC,OR]
# Whitelist Network|Multisite Signup POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC,OR]
# Whitelist Network|Multisite Activate POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC,OR]
# Whitelist Trackback POST Requests
RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC,OR]
# Whitelist Comments POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC,OR]
# Example 1: Whitelist Star Rating Calculator POST Form Requests
RewriteCond %{REQUEST_URI} !^.*/star-rating-calculator.php [NC,OR]
# Example 2: Whitelist Contact Form POST Requests
RewriteCond %{REQUEST_URI} !^.*/contact/ [NC,OR]
# Example 3: Whitelist PayPal IPN API Script POST Requests
RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
RewriteRule ^(.*)$ - [F]

(assuming one is using the examples at the end as well – the last RewriteCond does not have an [OR] flag)

Thoughts? Elucidations?

Cheers, Max

• This reply was modified 9 hours, 46 minutes ago by  Max. Reason: clarity
• This reply was modified 9 hours, 42 minutes ago by  AITpro Admin.
• This reply was modified 9 hours, 2 minutes ago by  Max. Reason: correction