[Tony]

Quote:

Originally Posted by yolte

I'am using gotroot's paid mod_sec rules and our private rules too. You should fear from turkish and russian hackers

I am looking for 2 years and only way response body rules to block completely hacking attempts

Well the best way is for users to be not being hacked left and right. I guess it's too much to ask for them to use a wordpress version made in the past year.

If you can limit the damage to the user account then you've done your best. If you do not allow url includes you've dramatically reduced your risk on a lot of the php inclusion exploits. Those are where most of these shells get uploaded. You're still not going to stop someone really determined unless you flat out do not allow anything. Most of the dangerous attacks in the past few years have involved privilege escalation. They did not even require a r57 shell to do. You could do them via a perl script which most are not bothering to block anyways. The perl scripts do not have the same sort of shell restrictions either.

Oh and I mentioned rules that cause a lot of trouble for LSWS well one such example so something like this:

<LocationMatch /edit_css.ph>
SecRuleRemoveById 340006
SecRuleRemoveById 340007
</LocationMatch>


With a lot of them and a decent amount of vhosts you could see your memory usage being extremely high. We had a machine where we threw up some rules with that and we went from LSWS using 100MB of memory to 800MB of memory.

The request body scanning is another scary rule to really kill the performance. If it's not done well I don't think it's worth doing at the price in resources it's going to come at. It does not guarantee protection either from what I'd deemed very serious.