Vercel Community

[▲ Vercel Community](/) · [Categories](/categories) · [Latest](/latest) · [Top](/top) · [Live](/live)

[Discussions](/c/community/4)

# Vercel Firewall rules to deny bot attacks

270 views · 10 likes · 6 posts


Earl (@earlrobb) · 2024-11-08 · ♥ 4

Have a small hobby Next.js 14 site.  Sorting data I found 40,000 monthly 404's in the vercel **Usage** tab. Looking at the **Top Paths** it's obvious the site is being hit by bots trying to attack php files and wordpress directories. I have neither on the site.

I am new to firewall management and was wondering if I could get some tips or improvements on what I have done?

In **Firewall Rules** I have created 2 rules.
RequestPath -> MatchesExpression ->\.php$|\.php7$|\.aspx$
RequestPath -> MatchesExpression ->(wp-content|wp-admin|wp-login|wp_content|wp_login|wp_admin|cgi-bin|wp-includes|wp_includes|wp-trackback|wp-feed)

I did it this way because I noticed some bots were requesting /wp-content/ in the path without the php extension. Doing this I am able to deny approximately 1,000 requests a day.

I am asking for feedback on what to block because on the hobby plan I can only see the top 1,000 paths in the Usage tab. I don't think there is any way for me to see a days worth of logs to look for attack vectors. The first 1,000 Top Paths is always flooded with php attacks because even though I am denying the requests they are still logged into Top Paths. 

Essentially, I cannot identify any attack vectors beyond PHP/Wordpress-based attacks to block.

Are there other attack vectors I should consider denying? I denied the .aspx extension in the rules because, I though, surely there are bots attacking that extension. I have never seen it in the top paths though. 

Thx,
earl


Har (@harryyaprakov) · 2024-11-21 · ♥ 2

Thank you for the suggestion to use these rules!

I have also been experiecing the same thing for more than a month.
Wordpress, php and other probing requests in the thousands daily for multiple of my projects.

I tried setting up the Attack Mode to see if it will help.

I also found that some requests are for .sql and .env
Will update if I find more.


Aflah V P (@mysr-io) · 2024-11-21 · ♥ 1

I had a similar experience where bots were repeatedly hitting my website multiple times a day, assuming it was built with PHP or WordPress.


Earl (@earlrobb) · 2024-11-25 · ♥ 1

Glad they of could be of help. its been a little over a month since I started blocking the php reuqests. The past few days have been really quiet, like 5 denied requests a day as opposed to 2,000.


Aflah V P (@mysr-io) · 2024-11-28

@earlrobb did you added any new rules?


Amy Egan (@amyegan) · 2025-04-28 · ♥ 2

We now have a new [Bot Protection](https://vercel.com/docs/bot-protection#bot-filter-managed-ruleset) feature and [Vercel Firewall templates](https://vercel.com/templates/vercel-firewall) to help with this.

The new bot filter managed ruleset is currently in beta, so please share your experience in the feedback thread if you give it a try :slightly_smiling_face: 

https://community.vercel.com/t/feedback-thread-for-bot-filter-public-beta/9174