Wordpress

[Jeff Chimene]

I'm trying to improve ossec WordPress rules.

I'd like to start a list of generic WordPress rules.

For example,

• Alert level 5 when the HTTP method is POST, and the HTTP status is 4xx
  Rationale: This represents an attack in the WordPress environment as there should never be a 4xx result from a POST
  
• Alert level 5 when the HTTP method is GET, the URL is the WordPress root, the HTTP status is 4xx
  Rationale: This represents an attack in the WordPress environment as there should never be a 4xx in the WordPress root directory.
  What's the PCRE for matching such URLs? E.g. /.env or /0000000.png
• ???
  

I realize rules/wordpress_rules exists; but it doesn't work out of the box; it seems to want wpsyslog. For various reasons, I employ WordFence. I'd like to get that ruleset working w/ WordFence, but that's a different issue.

tia,