Reject any requests which are attempting to hack my WordPress/PHP

alexwlchan · Oct 30, 2024 · 80c8630 · 80c8630
1 parent 710edac
commit 80c8630
Showing 1 changed file with 20 additions and 1 deletion.
diff --git a/Caddyfile b/Caddyfile
@@ -45,7 +45,7 @@ www.alexwlchan.net {
 		X-Xss-Protection "1; mode=block"
 	}
 
-  # If somebody gets a 404 or 410 error, respond with my custom error pages.
+  # If somebody gets a 4xx error, respond with my custom error pages.
   handle_errors 404 {
     root * /home/alexwlchan/repos/alexwlchan.net/_site
     rewrite * 404/index.html
@@ -58,6 +58,25 @@ www.alexwlchan.net {
     file_server
   }
 
+  handle_errors 400 {
+    root * /home/alexwlchan/repos/alexwlchan.net/_site
+    rewrite * 400/index.html
+    file_server
+  }
+
+  # If somebody is trying to look for PHP pages on my site, and WordPress
+  # pages in particular, they probably have nefarious goals.
+  #
+  # This is mostly automated bots -- serve them my minimal 400 Bad Request
+  # error rather than the complete 404 Not Found page.
+  @spam {
+  	path /.env /index.php /xmlrpc.php /wp-* /blog/wp-* /cms/wp-* /shop/wp-* /site/wp-* /test/wp-*  /wordpress/wp-* /wp/wp-* /wp2/wp-* /zb_system/*
+  }
+
+  handle @bad_paths {
+    respond * 400
+  }
+
   # This is a mini-site that was built separately and I've just uploaded
   # the HTML files to my web server.
   #