add rules 22200003, 22200004, 22200040

Author: theMiddleBlue

05-HARDENING.conf

@@ -28,6 +28,35 @@ SecRule REQUEST_FILENAME "^/wp\-content(/.*\.txt(|[\/].*)|(|\/))$" "phase:1,id:2
   logdata:'Request Filename %{REQUEST_FILENAME}',\
   msg:'WordPress: TXT /wp-content access attempt'"
 
+#wp-admin/ sensitive files
+SecRule REQUEST_FILENAME "^/wp-admin/(?:install|includes)" "phase:1,id:22200003,\
+  t:lowercase,t:normalizePath,t:trim,\
+  block,\
+  log,\
+  rev:'1',\
+  severity:'6',\
+  maturity:'9',\
+  accuracy:'9',\
+  ver:'%{tx.wprs_version}',\
+  tag:'wordpress',\
+  tag:'includes',\
+  logdata:'Request Filename %{REQUEST_FILENAME}',\
+  msg:'WordPress: File /wp-admin access attempt'"
+
+SecRule REQUEST_FILENAME "^/(?:readme|license)\." "phase:1,id:22200004,\
+  t:lowercase,t:normalizePath,t:trim,\
+  block,\
+  log,\
+  rev:'1',\
+  severity:'6',\
+  maturity:'9',\
+  accuracy:'9',\
+  ver:'%{tx.wprs_version}',\
+  tag:'wordpress',\
+  tag:'includes',\
+  logdata:'Request Filename %{REQUEST_FILENAME}',\
+  msg:'WordPress: Readme or License file access attempt'"
+
 
 SecRule tx:wprs_allow_xmlrpc "@eq 1" \
   "phase:1,\
@@ -120,4 +149,21 @@ SecRule REQUEST_URI "@rx ^/wp\-admin/(load\-styles|load\-scripts)\.php.*load\[\]
   logdata:'Detected on script: %{TX:1}.php',\
   msg:'WordPress: DoS Attack Attempt'"
 
+SecRule REQUEST_URI "@rx ^/(wp-cron\.php)" "phase:1,id:22200040,\
+  t:lowercase,t:urlDecode,t:trim,t:normalizePath,t:removeWhitespace,\
+  block,\
+  log,\
+  rev:'1',\
+  severity:'6',\
+  maturity:'9',\
+  accuracy:'9',\
+  capture,\
+  ver:'%{tx.wprs_version}',\
+  tag:'wordpress',\
+  tag:'dos',\
+  tag:'cve-2018-6389',\
+  logdata:'Detected on script: %{TX:1}',\
+  msg:'WordPress: DoS Attack Attempt'"
+
+
 SecMarker END_WPRS_DOS