Skip to content
Vulnity Vulnity Docs

Mitigation Rules

What is it for?

Section titled “What is it for?”

The Mitigation → Rules section configures the automatic IP blocking system based on behavior detected by security alerts. Its goal is to proactively protect your WordPress sites by automatically blocking malicious IPs before they can cause damage.

Available rules

Section titled “Available rules”

The system includes 8 mitigation rule types based on different threats. Each rule can be configured individually:

1. Brute Force Attacks (brute_force)

Section titled “1. Brute Force Attacks (brute_force)”
  • Description: multiple failed login attempts from the same IP.
  • Default configuration:
    • Threshold: 5 attempts
    • Block duration: 1 hour
    • Minimum severity: Medium
  • Recommended use: enable to protect against password guessing.

2. Successful Login After Brute Force (brute_force_breach)

Section titled “2. Successful Login After Brute Force (brute_force_breach)”
  • Description: successful login after multiple failed attempts.
  • Default configuration:
    • Threshold: 1 attempt
    • Block duration: 24 hours
    • Minimum severity: Critical
  • Recommended use: enable to detect compromised credentials.

3. PHP File Upload (php_file_uploaded)

Section titled “3. PHP File Upload (php_file_uploaded)”
  • Description: attempt to upload potentially malicious PHP files.
  • Default configuration:
    • Threshold: 1 attempt
    • Block duration: 7 days
    • Minimum severity: Critical
  • Recommended use: high priority; indicates an attempt to inject backdoors.

4. Suspicious SQL Queries (suspicious_query)

Section titled “4. Suspicious SQL Queries (suspicious_query)”
  • Description: database queries with SQL injection patterns.
  • Default configuration:
    • Threshold: 3 attempts
    • Block duration: 6 hours
    • Minimum severity: High
  • Recommended use: enable to help prevent SQLi attacks.

5. Vulnerability Scanner (scanner_detected)

Section titled “5. Vulnerability Scanner (scanner_detected)”
  • Description: automated tools scanning for vulnerabilities.
  • Default configuration:
    • Threshold: 1 attempt
    • Block duration: 24 hours
    • Minimum severity: Medium
  • Recommended use: blocks bots looking for vulnerabilities.

6. XML-RPC Attacks (xmlrpc_attack)

Section titled “6. XML-RPC Attacks (xmlrpc_attack)”
  • Description: abuse of the WordPress XML-RPC protocol.
  • Default configuration:
    • Threshold: 3 attempts
    • Block duration: 24 hours
    • Minimum severity: High
  • Recommended use: enable if XML-RPC is not used legitimately.

7. User Manipulation (manage-user)

Section titled “7. User Manipulation (manage-user)”
  • Description: creation or modification of user accounts.
  • Default configuration:
    • Threshold: 1 attempt
    • Block duration: 1 hour
    • Minimum severity: Medium

!!! warning “Warning” This alert can be generated by legitimate administrators. It is recommended not to enable automatic blocking for this rule unless all administrator IPs are added to the whitelist.

8. File Editor Usage (file_editor_used)

Section titled “8. File Editor Usage (file_editor_used)”
  • Description: use of the WordPress file/theme editor.
  • Default configuration:
    • Threshold: 2 attempts
    • Block duration: 1 hour
    • Minimum severity: Medium

!!! warning “Warning” This alert can be generated by legitimate administrators. It is recommended not to enable automatic blocking for this rule unless all developer/admin IPs are added to the whitelist.

Per-rule configuration options

Section titled “Per-rule configuration options”

Each rule allows 4 parameters:

1. Status (Enabled/Disabled)

Section titled “1. Status (Enabled/Disabled)”
  • Switch to enable or disable the rule.
  • By default, all rules are disabled.

2. Threshold

Section titled “2. Threshold”
  • Number of events required before blocking the IP.
  • Range: 1–50 attempts.
  • Example: if threshold = 5, the block happens after the 5th attempt.

3. Block duration

Section titled “3. Block duration”
Duration
15 minutes
30 minutes
1 hour
6 hours
24 hours
7 days
30 days
Permanent, until manual unblock

4. Minimum severity

Section titled “4. Minimum severity”
LevelColor
Low🟢
Medium🟡
High🟠
Critical🔴

Only events with severity equal to or higher than the configured level are blocked.

Synchronization with the plugin

Section titled “Synchronization with the plugin”
  • Rules synchronize automatically with the WordPress plugin every 24 hours.
  • To apply changes immediately:
    1. Open the WordPress plugin.
    2. Go to Mitigation.
    3. Click “Sync Configuration Now”.

How it works

Section titled “How it works”
Alert detected → Rule enabled?
├─ No → Log only
└─ Yes → Severity high enough?
   ├─ No → Log only
   └─ Yes → Threshold reached?
      ├─ No → Increment counter
      └─ Yes → Block IP automatically
         → Apply configured duration
         → Record in mitigation logs

Usage recommendations

Section titled “Usage recommendations”

Safer rules to enable:

  • Brute Force Attacks
  • Successful Login After Brute Force
  • PHP File Upload
  • Suspicious SQL Queries
  • Vulnerability Scanner
  • XML-RPC Attacks

Rules that require caution:

  • User Manipulation: add administrator IPs to the whitelist before enabling.
  • File Editor Usage: add developer/admin IPs to the whitelist before enabling.

Recommended strategy:

  1. Start by enabling external-threat rules: brute force, SQL injection, scanners.
  2. Configure a whitelist with trusted IPs such as office or VPN addresses.
  3. Gradually enable administrative-activity rules.
  4. Monitor the mitigation dashboard regularly.