/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-apache
# ------------------------------------------------------ # Imunify360 ModSecurity Rules # Copyright (C) 2026 CloudLinux Inc All right reserved # The Imunify360 ModSecurity Rules is distributed under # IMUNIFY360 LICENSE AGREEMENT # ------------------------------------------------------ # Imunify360 ModSecurity Base Ruleset SecRule REQUEST_METHOD "^POST" "id:33308,chain,phase:3,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Successful WordPress login||Log:%{ARGS.log}||Time:%{TIME}||User:%{SCRIPT_USERNAME}||Script:%{SCRIPT_FILENAME}||WPU:%{TX.wp_user}||wp_cookie:%{tx.wp_cookie}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule RESPONSE_HEADERS:Set-Cookie "@rx wordpress_logged_in_[^=]+=[^;]+(\w{6});" "t:none,capture,setvar:tx.wp_cookie=%{tx.1},initcol:ip=%{tx.remote_addr},setvar:ip.wp_logged_in=1,expirevar:ip.wp_logged_in=600,setvar:ip.wp_auto_install=1,expirevar:ip.wp_auto_install=5" SecRule REQUEST_COOKIES:/wordpress_logged_in_/ "@rx ^([^\|]+)\|" "id:77350142,chain,phase:2,nolog,auditlog,severity:5,t:none,t:urlDecode,capture,setvar:tx.log_cookie_name=%{TX.1},msg:'IM360 WAF: WordPress compromised account login prevention with cookie||WPU:%{TX.log_cookie_name}||Hash:%{tx.log_cookie_sha}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',redirect:%{SESSION.redirect_link},tag:'service_im360'" SecRule ENV:IMUNIFY360_COMPROMISED_REDIRECT_URL "@rx ^$" "chain,t:none" SecRule REQUEST_URI "!@contains /wp-login.php" "chain,t:none" SecRule TX:log_cookie_name "!@rx ^$" "chain,t:none,t:sha1,t:hexEncode,capture,setvar:tx.log_cookie_sha=%{MATCHED_VAR},initcol:session=%{MATCHED_VAR}.%{REQUEST_HEADERS.host}" SecRule &SESSION:compromised_cookies "@gt 0" "chain,t:none" SecRule REQUEST_COOKIES:/wordpress_logged_in_/ "@streq %{SESSION.compromised_cookies}" "t:none,t:urlDecode,setvar:session.timeout=172800" SecRule REQUEST_METHOD "@rx POST" "id:77350143,chain,phase:2,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress compromised account login prevention||WPU:%{ARGS.log}||Hash:%{tx.log_sha}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',redirect:%{SESSION.redirect_link},tag:'service_im360'" SecRule ENV:IMUNIFY360_COMPROMISED_REDIRECT_URL "@rx ^$" "chain,t:none" SecRule REQUEST_FILENAME "@contains /wp-login.php" "chain,t:none" SecRule ARGS:log "!@rx ^$" "chain,t:none,t:urlDecode,t:sha1,t:hexEncode,capture,setvar:tx.log_sha=%{MATCHED_VAR},initcol:session=%{MATCHED_VAR}.%{REQUEST_HEADERS.host}" SecRule &SESSION:compromised_cookies "@gt 0" "chain,t:none" SecRule SESSION:compromised_hash "!@rx ^$|\[____\]" "chain,t:none" SecRule ARGS:pwd "@streq %{SESSION.compromised_hash}" "t:none,capture,t:sha1,t:hexEncode,setvar:session.timeout=172800" SecRule REQUEST_METHOD "@rx POST" "id:77350144,chain,phase:3,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress compromised account login prevention with RBL||WPU:%{ARGS.log}||Hash:%{tx.log_sha}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',redirect:https://imunify-alert.com/compromised.html?SN=%{SERVER_NAME}&SP=%{SERVER_PORT}&RFR=%{REQUEST_HEADERS.Referer}&URI=%{REQUEST_URI}&cms_name=wordpress&content_title_type=compromised_account&version=1,tag:'service_im360'" SecRule ENV:IMUNIFY360_COMPROMISED_REDIRECT_URL "@rx ^$" "chain,t:none" SecRule REQUEST_FILENAME "@contains /wp-login.php" "chain,t:none" SecRule ARGS:log "!@rx ^$" "chain,t:none,t:urlDecode,capture,t:sha1,t:hexEncode,setvar:tx.log_sha=%{MATCHED_VAR},setvar:tx.compromised_user=%{MATCHED_VAR}.%{REQUEST_HEADERS.host},initcol:session=%{tx.compromised_user}" SecRule &SESSION:compromised_cookies "@eq 0" "chain,t:none,setvar:tx.rbl_perf=1" SecRule TX:compromised_user "@rbl wp-compromised.v2.rbl.imunify.com." "chain,t:none" SecRule TX:compromised_user "!@rbl nxdomain.v2.rbl.imunify.com." "chain,t:none" SecRule RESPONSE_HEADERS:set-cookie "@rx wordpress_logged_in_[^=]+=([^;]+);" "chain,t:none,t:urlDecode,capture,setvar:tx.auth_cookie=%{TX.1},setvar:session.compromised_cookies=%{TX.auth_cookie}" SecRule ARGS:pwd "!@rx ^$" "t:none,t:sha1,t:hexEncode,capture,setvar:session.compromised_hash=%{MATCHED_VAR},setvar:session.redirect_link=https://imunify-alert.com/compromised.html?SN=%{SERVER_NAME}&SP=%{SERVER_PORT}&RFR=%{REQUEST_HEADERS.Referer}&URI=%{REQUEST_URI}&cms_name=wordpress&content_title_type=compromised_account&version=1,setvar:session.timeout=172800" SecRule REQUEST_COOKIES:/wordpress_logged_in_/ "@rx ^([^\|]+)\|" "id:77350528,chain,phase:2,nolog,auditlog,severity:5,t:none,t:urlDecode,capture,setvar:tx.log_cookie_name=%{TX.1},msg:'IM360 WAF: WordPress compromised account login prevention with cookie||WPU:%{TX.log_cookie_name}||Hash:%{tx.log_cookie_sha}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',redirect:%{SESSION.redirect_link},tag:'service_im360'" SecRule ENV:IMUNIFY360_COMPROMISED_REDIRECT_URL "!@rx ^$" "chain,t:none" SecRule REQUEST_URI "!@contains /wp-login.php" "chain,t:none" SecRule TX:log_cookie_name "!@rx ^$" "chain,t:none,t:sha1,t:hexEncode,capture,setvar:tx.log_cookie_sha=%{MATCHED_VAR},initcol:session=%{MATCHED_VAR}.%{REQUEST_HEADERS.host}_ENV" SecRule &SESSION:compromised_cookies "@gt 0" "chain,t:none" SecRule REQUEST_COOKIES:/wordpress_logged_in_/ "@streq %{SESSION.compromised_cookies}" "t:none,t:urlDecode,setvar:session.timeout=172800" SecRule REQUEST_METHOD "@rx POST" "id:77350533,chain,phase:2,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress compromised account login prevention||WPU:%{ARGS.log}||Hash:%{tx.log_sha}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',redirect:%{SESSION.redirect_link},tag:'service_im360'" SecRule ENV:IMUNIFY360_COMPROMISED_REDIRECT_URL "!@rx ^$" "chain,t:none" SecRule REQUEST_FILENAME "@contains /wp-login.php" "chain,t:none" SecRule ARGS:log "!@rx ^$" "chain,t:none,t:urlDecode,t:sha1,t:hexEncode,capture,setvar:tx.log_sha=%{MATCHED_VAR},initcol:session=%{MATCHED_VAR}.%{REQUEST_HEADERS.host}_ENV" SecRule &SESSION:compromised_cookies "@gt 0" "chain,t:none" SecRule SESSION:compromised_hash "!@rx ^$|\[____\]" "chain,t:none" SecRule ARGS:pwd "@streq %{SESSION.compromised_hash}" "t:none,capture,t:sha1,t:hexEncode,setvar:session.timeout=172800" SecRule REQUEST_METHOD "@rx POST" "id:77350529,chain,phase:3,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress compromised account login prevention with RBL||WPU:%{ARGS.log}||Hash:%{tx.log_sha}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',redirect:https://%{env.IMUNIFY360_COMPROMISED_REDIRECT_URL}?SN=%{SERVER_NAME}&SP=%{SERVER_PORT}&RFR=%{REQUEST_HEADERS.Referer}&URI=%{REQUEST_URI}&cms_name=wordpress&content_title_type=compromised_account&version=1,tag:'service_im360'" SecRule ENV:IMUNIFY360_COMPROMISED_REDIRECT_URL "!@rx ^$" "chain,t:none" SecRule REQUEST_FILENAME "@contains /wp-login.php" "chain,t:none" SecRule ARGS:log "!@rx ^$" "chain,t:none,t:urlDecode,capture,t:sha1,t:hexEncode,setvar:tx.log_sha=%{MATCHED_VAR},setvar:tx.compromised_user=%{MATCHED_VAR}.%{REQUEST_HEADERS.host},initcol:session=%{tx.compromised_user}_ENV" SecRule &SESSION:compromised_cookies "@eq 0" "chain,t:none,setvar:tx.rbl_perf=1" SecRule TX:compromised_user "@rbl wp-compromised.v2.rbl.imunify.com." "chain,t:none" SecRule TX:compromised_user "!@rbl nxdomain.v2.rbl.imunify.com." "chain,t:none" SecRule RESPONSE_HEADERS:set-cookie "@rx wordpress_logged_in_[^=]+=([^;]+);" "chain,t:none,t:urlDecode,capture,setvar:tx.auth_cookie=%{TX.1},setvar:session.compromised_cookies=%{TX.auth_cookie}" SecRule ARGS:pwd "!@rx ^$" "t:none,t:sha1,t:hexEncode,capture,setvar:session.compromised_hash=%{MATCHED_VAR},setvar:session.redirect_link=https://%{env.IMUNIFY360_COMPROMISED_REDIRECT_URL}?SN=%{SERVER_NAME}&SP=%{SERVER_PORT}&RFR=%{REQUEST_HEADERS.Referer}&URI=%{REQUEST_URI}&cms_name=wordpress&content_title_type=compromised_account&version=1,setvar:session.timeout=172800" SecRule REQUEST_METHOD "@rx POST" "id:77350145,chain,phase:3,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress compromised account successful password reset||WPU:%{tx.log_cookie_name}||Hash:%{tx.log_cookie_sha}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ENV:IMUNIFY360_COMPROMISED_REDIRECT_URL "@rx ^$" "chain,t:none" SecRule REQUEST_FILENAME "@contains /wp-login.php" "chain,t:none" SecRule ARGS:action "@streq resetpass" "chain,t:none" SecRule REQUEST_COOKIES:/wp-resetpass-/ "@rx ^([^:]+):" "chain,t:none,t:urlDecode,capture,setvar:tx.log_cookie_name=%{TX.1}" SecRule TX:log_cookie_name "!@rx ^$" "chain,t:none,t:urlDecode,t:sha1,t:hexEncode,capture,setvar:tx.log_cookie_sha=%{MATCHED_VAR},initcol:session=%{MATCHED_VAR}.%{REQUEST_HEADERS.host}" SecRule SESSION:compromised_hash "!@rx ^$|\[____\]" "t:none,t:normalizePath,setvar:session.compromised_hash=[____],setvar:session.compromised_cookies=[____],setvar:session.timeout=172800" SecRule REQUEST_METHOD "@rx POST" "id:77350146,chain,phase:3,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress compromised account password changed||WPU:%{ARGS.log}||Hash:%{tx.log_cookie_sha}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ENV:IMUNIFY360_COMPROMISED_REDIRECT_URL "@rx ^$" "chain,t:none" SecRule &TX:auth_cookie "@eq 0" "chain,t:none" SecRule REQUEST_FILENAME "@contains /wp-login.php" "chain,t:none" SecRule RESPONSE_HEADERS:set-cookie "@rx wordpress_logged_in_[^=]+=([^;]+);" "chain,t:none,t:urlDecode" SecRule ARGS:log "!@rx ^$" "chain,t:none,t:urlDecode,t:sha1,t:hexEncode,capture,setvar:tx.log_cookie_sha=%{MATCHED_VAR},initcol:session=%{MATCHED_VAR}.%{REQUEST_HEADERS.host}" SecRule SESSION:compromised_hash "!@rx ^$|\[____\]" "chain,t:none" SecRule SESSION:compromised_hash "!@streq %{ARGS.pwd}" "t:none,t:sha1,t:hexEncode,capture,setvar:session.compromised_hash=[____],setvar:session.compromised_cookies=[____],setvar:session.timeout=172800" SecRule REQUEST_METHOD "@rx POST" "id:77350534,chain,phase:3,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress compromised account successful password reset||WPU:%{tx.log_cookie_name}||Hash:%{tx.log_cookie_sha}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ENV:IMUNIFY360_COMPROMISED_REDIRECT_URL "!@rx ^$" "chain,t:none" SecRule REQUEST_FILENAME "@contains /wp-login.php" "chain,t:none" SecRule ARGS:action "@streq resetpass" "chain,t:none" SecRule REQUEST_COOKIES:/wp-resetpass-/ "@rx ^([^:]+):" "chain,t:none,t:urlDecode,capture,setvar:tx.log_cookie_name=%{TX.1}" SecRule TX:log_cookie_name "!@rx ^$" "chain,t:none,t:urlDecode,t:sha1,t:hexEncode,capture,setvar:tx.log_cookie_sha=%{MATCHED_VAR},initcol:session=%{MATCHED_VAR}.%{REQUEST_HEADERS.host}_ENV" SecRule SESSION:compromised_hash "!@rx ^$|\[____\]" "t:none,t:normalizePath,setvar:session.compromised_hash=[____],setvar:session.compromised_cookies=[____],setvar:session.timeout=172800" SecRule REQUEST_METHOD "@rx POST" "id:77350535,chain,phase:3,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress compromised account password changed||WPU:%{ARGS.log}||Hash:%{tx.log_cookie_sha}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule ENV:IMUNIFY360_COMPROMISED_REDIRECT_URL "!@rx ^$" "chain,t:none" SecRule &TX:auth_cookie "@eq 0" "chain,t:none" SecRule REQUEST_FILENAME "@contains /wp-login.php" "chain,t:none" SecRule RESPONSE_HEADERS:set-cookie "@rx wordpress_logged_in_[^=]+=([^;]+);" "chain,t:none,t:urlDecode" SecRule ARGS:log "!@rx ^$" "chain,t:none,t:urlDecode,t:sha1,t:hexEncode,capture,setvar:tx.log_cookie_sha=%{MATCHED_VAR},initcol:session=%{MATCHED_VAR}.%{REQUEST_HEADERS.host}_ENV" SecRule SESSION:compromised_hash "!@rx ^$|\[____\]" "chain,t:none" SecRule SESSION:compromised_hash "!@streq %{ARGS.pwd}" "t:none,t:sha1,t:hexEncode,capture,setvar:session.compromised_hash=[____],setvar:session.compromised_cookies=[____],setvar:session.timeout=172800" SecRule REQUEST_METHOD "@rx POST" "id:77350156,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: WordPress account successful password reset||WPU:%{tx.log_cookie_name}||User:%{SCRIPT_USERNAME}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule REQUEST_FILENAME "@contains /wp-login.php" "chain,t:none" SecRule ARGS:action "@streq resetpass" "chain,t:none" SecRule REQUEST_COOKIES:/wp-resetpass-/ "@rx ^([^:]+):" "t:none,t:urlDecode,capture,setvar:tx.log_cookie_name=%{TX.1}" SecRule REQUEST_METHOD "@rx ^POST" "id:77350304,chain,phase:5,pass,nolog,auditlog,severity:5,t:none,capture,setvar:tx.sess_cookie=%{tx.1},msg:'IM360 WAF: WordPress session state track||WPU:%{tx.wp_user}||Cookie hash:%{TX.sess_cookie}|%{TX.wp_cookie}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule &TX:wp_cookie "@gt 0" "chain,t:none" SecRule SESSION:compromised_cookies "@rx (.{6})$" "t:none" SecRule REQUEST_METHOD "^POST" "id:77350326,chain,phase:3,pass,nolog,auditlog,severity:5,t:none,msg:'IM360 WAF: Successful WordPress user password update||Name:%{ARGS.nickname}||Log:%{ARGS.nickname}||User:%{SCRIPT_USERNAME}||WPU:%{TX.wp_user}||wp_cookie:%{tx.wp_cookie}||RSV:8.02||T:APACHE||',tag:'service_im360',tag:'noshow'" SecRule RESPONSE_STATUS "@streq 302" "chain,t:none" SecRule REQUEST_BASENAME "@rx (user-edit|profile)\.php$" "chain,t:none" SecRule REQUEST_HEADERS:Cookie "@rx wordpress_logged_in_[^=]+=[^;]+\w{6};" "chain,t:none" SecRule ARGS:pass1 "!@rx ^$" "chain,t:none" SecRule ARGS:pass2 "!@rx ^$" "t:none"
.
Edit
..
Edit
000_i360_init.conf
Edit
001_i360_pass.conf
Edit
002_i360_basic.conf
Edit
003_i360_wp_logic.conf
Edit
004_i360_vectors.conf
Edit
005_i360_bruteforce.conf
Edit
006_i360_malware.conf
Edit
007_i360_custom.conf
Edit
008_i360_wordpress.conf
Edit
009_i360_joomla.conf
Edit
010_i360_drupal.conf
Edit
011_i360_otherapps.conf
Edit
012_i360_spam.conf
Edit
013_i360_generic.conf
Edit
014_i360_infectors.conf
Edit
015_i360_filescan.conf
Edit
016_i360_monitor.conf
Edit
017_i360_weak_pass.conf
Edit
018_Disable_WP_Redirect.conf
Edit
IM360-LICENSE.txt
Edit
RELEASE
Edit
VERSION
Edit
bl_agents
Edit
bl_chains
Edit
bl_db_list
Edit
bl_db_list_ext
Edit
bl_ips
Edit
bl_os_files
Edit
bl_path_files
Edit
bl_scanners
Edit
bl_uri
Edit
bl_web_files
Edit
bl_wpboost_uri
Edit
bl_xss_input
Edit
changelog.json
Edit
changelog.txt
Edit
cloudav_list
Edit
crawlers-google-iplist.data
Edit
crawlers-iplist.data
Edit
crawlers-ualist.data
Edit
danme_top100
Edit
detectlua.lua
Edit
inspectfile.lua
Edit
ip-record.db
Edit
java_data
Edit
malware_found.list
Edit
malware_found_b64.list
Edit
malware_standalone.list
Edit
malware_standalone_b64.list
Edit
path_traversal
Edit
php_data
Edit
rbl_whitelist
Edit
rce_uri
Edit
risky-actions.list
Edit
trap.lua
Edit
trap_cookie.lua
Edit
userdata_dirb_URLs.data
Edit