Hi @danishhaidri, thanks for your query.
If you are referring to Wordfence > All Options > Immediately block IPs that access these URLs, our best practice would be to specify only URLs that are certainly never intended to be accessed so that you don’t accidentally block yourself during a legitimate action.
If you never have reason to visit /restore or /old at all in the browser, I would conclude that you could safely add those, but wp-upload will be accessed if you perform administrative actions like adding documents or pictures to your site so I wouldn’t suggest adding that. They have to be relative paths specified so you’d add:
/restore/backup.sql.zip
/old/mysql.sql
You could try checking the box for Wordfence > All Options > Disable Code Execution for Uploads directory to provide a level of protection that should protect scripts from being executed there.
Thanks,
Peter.
