block malicious probing requests

my web app gets requests like these:
get myapp.com/wp-login.php
get myapp.com/sitemap.xml
get myapp.com/.git/config
get myapp.com/wp-content/themes/sketch/404.php
get myapp.com/wp-login.php
get myapp.com/sitemap.xml
get myapp.com/.git/config
get myapp.com/wp-content/themes/sketch/404.php
which seem to be probing for vulnerabilities since none of the urls exist and e.g. my site isn't a wordpress site. Is there any way to easily block these? I could create WAF custom rules but would that turn into wack-a-mole if I need to manually specify every invalid URL being requested? I'm currently on the free plan so I could upgrade to pro to enable more managed rules, but its unclear to me if that'll solve the issue. It's not a lot of traffic so its not hurting too much. The biggest annoyance for me is it creates errors in my observability data, making it harder to find real issues amongst these phantom issues.
4 Replies
semaja2
semaja210mo ago
Do you have a paid plan? the .git one is usually blocked by default with the WAF managed rules turned on
Chaika
Chaika10mo ago
.git would be blocked by Pro or higher's CF Managed Ruleset. For the rest, if you're not using php or wordpress at all, you can use Custom Rules to blanket block them pretty easily, ex: (ends_with(http.request.uri.path, ".php")) or (http.request.uri.path contains "wp-") The sitemap xml is a legit one which is helpful to search engines so they can know all the pages to crawl/when they updated/frequency/etc
kelbs
kelbsOP10mo ago
I'm currently on the free plan so I could upgrade to pro to enable more managed rules, but its unclear to me if that'll solve the issue.
yeah, not on paid plan but have been considering it. Only reason I haven't pulled trigger is I wasn't sure if it would help or not. Thank you for the ideas! I'll use these and see if there are more commonalities across the requests for easy blocking is the ends_with functionality also only available on paid plans? Doesn't seem to be an option for me
az
az10mo ago
i generally block these with contains "wp" on free
Want results from more Discord servers?
Add your server