There aren’t any silver bullets that will protect a WordPress installation against every single attack, but adding a full featured IDPS solution like Suricata, is a good step in protecting not only that “all too many times vulnerable” WordPress installation but also other services like SSH.
Most WordPress installations are run as a single machine with a complete middleware stack from the web server down to the database. As such, what follows, is based on the following assumptions:
The first step is to replace the location section of the server block that listens to HTTPS and passes the requests to PHP, in order to reverse proxy them instead.
$hostvariable in the header
X-Forwarded-Hostsince its client/attacker controlled, possibly making your WordPress installation susceptible to host header poisoning. Use the
Next we need to configure Nginx to listen locally for the decrypted traffic and to pass it to PHP.
After checking that the configuration is correct, restart Nginx. From this point onwards, there should be plain text HTTP traffic flowing to the socket listening locally (generate some traffic if needed). You can confirm this, by using
The next step is to configure Netfilter using Nftables, in order for it to send traffic to Suricata. To do that, create a file with the
rules extension under
After starting the Nftables service, the next step is to configure Suricata. First edit the main Suricata configuration file (
Second, edit the system Suricata configuration file (
After starting Suricata, check that everything worked out without errors and that packets are being received (check the
/var/log/suricata/stats.log file). To test the installation, use the following SQLi vector.
If everything worked as planned, Suricata should have created an entry in the EVE log (
/var/log/suricata/eve.json) reporting the attack.
The next step is to configure the rules to disable false positives:
And change some useful rules from
Restart Suricata and that’s it. It’s a good idea to update the rules every now and then so that Suricata can better protect WordPress :)