WordPress 3.5 behind Naxsi Web Application Firewall

Hi,

I’m protecting my WordPress websites with an nginx plugin called “naxsi” https://code.google.com/p/naxsi/. That WAF matches on various known techniques in order to protect the website against SQL injections, traversals, CSS etc…
Naxsi is restrictive by default, and the user have to write his own whitelists if his website matches some core rules.
I’ve been working a couple of hours in order to have WordPress 3.5-ready naxsi rules, here they are:

$ cat naxsi.rules
SecRulesEnabled;
DeniedUrl “/denied”;

## check rules
CheckRule “$SQL >= 8” BLOCK;
CheckRule “$RFI >= 8” BLOCK;
CheckRule “$TRAVERSAL >= 4” BLOCK;
CheckRule “$EVADE >= 4” BLOCK;
CheckRule “$XSS >= 8” BLOCK;

# WP website itself
BasicRule wl:1005 “mz:$HEADERS_VAR:cookie”;
BasicRule wl:1010 “mz:$HEADERS_VAR:cookie”;
BasicRule wl:1011 “mz:$HEADERS_VAR:cookie”;
BasicRule wl:1308 “mz:$HEADERS_VAR:cookie”;
BasicRule wl:1309 “mz:$HEADERS_VAR:cookie”;
BasicRule wl:1315 “mz:$HEADERS_VAR:cookie”;

# WP login screen
BasicRule wl:1100 “mz:$ARGS_VAR:redirect_to”;
BasicRule wl:1100 “mz:$BODY_VAR:redirect_to”;
# WP backend
BasicRule wl:1000 “mz:URL|$URL:/wp/wp-admin/update-core.php”;
BasicRule wl:1000 “mz:URL|$URL:/wp/wp-admin/update.php”;
BasicRule wl:1000 “mz:$BODY_VAR:_wp_http_referer”;
BasicRule wl:1000 “mz:$ARGS_VAR:action”;
# load and load[] GET variable
BasicRule wl:1015 “mz:$ARGS_VAR:load”;
BasicRule wl:1015 “mz:$ARGS_VAR:load[]”;
# WP categories and add new
BasicRule wl:1310 “mz:URL|$URL:/wp/wp-admin/load-scripts.php|ARGS|NAME”;
BasicRule wl:1311 “mz:URL|$URL:/wp/wp-admin/load-scripts.php|ARGS|NAME”;

# end of rules

Hope this helps!