ModSecurity Block invalid host referer

Question

I need a rule to block all POST requests to wp-login.php,
But I need to check if the referer domain is equal to requested domain name
We need to check such things:

1. check for requested domain value (example: sitename1.com)
2. check for referer domain value (example: sitename1.com)
3. if requested domain is equal to referer domain
4. if request is POST
5. if requested file is wp-login.php

I have the following code to check the referer but I need to check the domain in referer too

#Block WP logins with no referring URL
<Locationmatch "/wp-login.php">
SecRule REQUEST_METHOD "POST"  "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0"
</Locationmatch>

in this case I can check the visitor completely and ensure he is a human appreciate for any help

Answer 1

I'm not sure I understand your question, but may be this chained rule will help you:

SecRule &REQUEST_HEADERS:Referer "!@eq 0" \
    "id:5000130,\
    phase:1,\
    t:none,\
    deny,\
    status:401,\
    chain,\
    msg:'wp-login request blocked, no referer'"
    SecRule REQUEST_URI "@beginsWith /wp-login.php" \
        "chain"
        SecRule REQUEST_METHOD "@streq POST" \
            "chain"
            SecRule REQUEST_HEADERS:Host "@rx .*" \
                "capture,\
                chain"
                SecRule REQUEST_HEADERS:Referer "@streq %{TX.0}"

Please keep it mind:

• this chained rule works only if the Referer header is set
• the Host header must also exists

May be you need an another chained rule, which checks the existence of Referer header, if the URI is /wp-login, but I think based on the rule above you can produce it.