config/payloads.conf

# Known attack payload regex patterns
# One pattern per line, these are checked against request parameters and user input
# Lines starting with # are comments

# XSS attack patterns
# Pattern for alert/prompt/confirm execution
/(?:<|%3C|&lt;)(?:script|iframe|svg|img|a).*?(?:alert|prompt|confirm|eval)\s*\(.*?\)/i
# Pattern for script injection
/(?:<|%3C|&lt;)script.*?(?:>|%3E|&gt;)/i
# Pattern for event handlers like onerror, onload, etc.
/\bon(?:error|load|click|mouseover|focus|blur)\s*=\s*["']?(?:alert|prompt|confirm|eval)/i
# Pattern for javascript: protocol
/javascript\s*:\s*(?:alert|prompt|confirm|eval)/i
# Pattern for data URI scheme with script
/data\s*:\s*(?:text|application)\/(?:javascript|html).*?base64/i

# SQL Injection patterns
# Pattern for basic SQL injection attempts
/(?:'\s*OR\s*'[\w\d]+'?\s*=\s*'[\w\d]+)|(?:"\s*OR\s*"[\w\d]+"?\s*=\s*"[\w\d]+")/i
# Pattern for SQL comments
/(?:--|#|\/\*)[^\w\d]*(?:union|select|insert|update|delete|drop|alter)/i
# Pattern for UNION SELECT attempts
/union\s+(?:all\s+)?select/i
# Pattern for SQL batch commands
/;\s*(?:drop|alter|create|truncate|rename|insert|update|delete)/i

# Remote file inclusion patterns
# Pattern for external URL inclusion
/(?:https?|ftp|php|data|file):\/\/[^\s\n"')>]+/i
# Pattern for directory traversal
/(?:\.\.\/|\.\.\\|\.\.\%2f|\.\.\%5c)[^\s\n"')>]+/i
# Pattern for PHP wrapper usage
/php:\/\/(?:filter|input|memory|output|temp)/i

# Command injection patterns
# Pattern for shell command execution
/[;&|`]\s*(?:ls|cat|cd|pwd|echo|rm|cp|mv|sudo|chmod|chown|wget|curl)/i
# Pattern for command substitution
/\$\([^\)]*\)|`[^`]*`/i
# Pattern for direct system command injection
/system\s*\(|exec\s*\(|shell_exec\s*\(|passthru\s*\(|eval\s*\(/i

# Local file inclusion patterns
# Pattern for path traversal
/(?:\/|\\|\.\.|%2f|%5c)(?:etc|bin|usr|home|var|root|windows|system32)/i
# Pattern for sensitive file access
/(?:\/|\\|\.\.|%2f|%5c)(?:passwd|shadow|hosts|config|wp-config|web\.config)/i

# XML/XXE injection patterns
/<!(?:DOCTYPE|ENTITY)[\s\S]*?(?:SYSTEM|PUBLIC)[\s\S]*?["']/i

# CSRF token extraction
/(?:csrf|xsrf|token|auth)["']?\s*[:=]\s*["']?[a-zA-Z0-9_-]+/i

# Serialization attacks
/[ORCo]:[0-9]+:/i

# General suspicious patterns
# Pattern for base64 encoded payloads
/(?:[A-Za-z0-9+\/]{20,}={0,2})/
# Pattern for hex encoded payloads
/(?:0x[A-Fa-f0-9]{10,})/
# Pattern for URL encoded characters sequence
/(?:%[0-9A-Fa-f]{2}){8,}/
# Pattern for large number of special characters
/[!@#$%^&*()_+\-=\[\]{}|;':",./<>?]{10,}/
feat: initial InformatiQ Toolkit plugin Merges informatiq-wp-secure + informatiq-utils + HoneypotFields into a single unified plugin with the following improvements: - Fixed deactivation bug: all protection methods now guard themselves with their own option check so toggling off via AJAX takes effect immediately without any hook re-registration. - Added rate-limiting for good/legitimate bots (Googlebot, Bingbot, DuckDuckBot, Yandex, etc.) via transient sliding-window counters; configurable per-bot limits in goodbots.conf (BotName\|req/min); returns HTTP 429 with Retry-After: 60 when over limit. - Unified MySQL-backed logging (itk_bot_log + itk_honeypot_log tables) replaces the old wp_options-based 100-entry cap. - New Dashboard tab with terminal-style bot activity monitor: total blocked, today's count, rate-limited hits, top threat sources (bar chart), top IPs, top honeypot form types, active-module status panel. - All optimizations from utils.php merged into Optimization tab as toggleable settings (was always-on before). - Single admin page (Settings → InformatiQ Toolkit) with 8 tabs: Dashboard \| Bot Blocker \| Protection \| Optimization \| Honeypot \| Bot Logs \| Honeypot Logs \| Config Files. - Config file editor for badbots.conf, goodbots.conf, referrers.conf, networks.conf, allowed-ips.conf with AJAX save and transient flush. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-09 11:45:26 +02:00			`# Known attack payload regex patterns`
			`# One pattern per line, these are checked against request parameters and user input`
			`# Lines starting with # are comments`

			`# XSS attack patterns`
			`# Pattern for alert/prompt/confirm execution`
			`/(?:<\|%3C\|<)(?:script\|iframe\|svg\|img\|a).?(?:alert\|prompt\|confirm\|eval)\s\(.*?\)/i`
			`# Pattern for script injection`
			`/(?:<\|%3C\|<)script.*?(?:>\|%3E\|>)/i`
			`# Pattern for event handlers like onerror, onload, etc.`
			`/\bon(?:error\|load\|click\|mouseover\|focus\|blur)\s=\s["']?(?:alert\|prompt\|confirm\|eval)/i`
			`# Pattern for javascript: protocol`
			`/javascript\s:\s(?:alert\|prompt\|confirm\|eval)/i`
			`# Pattern for data URI scheme with script`
			`/data\s:\s(?:text\|application)\/(?:javascript\|html).*?base64/i`

			`# SQL Injection patterns`
			`# Pattern for basic SQL injection attempts`
			`/(?:'\sOR\s'[\w\d]+'?\s=\s'[\w\d]+)\|(?:"\sOR\s"[\w\d]+"?\s=\s"[\w\d]+")/i`
			`# Pattern for SQL comments`
			`/(?:--\|#\|\/\)[^\w\d](?:union\|select\|insert\|update\|delete\|drop\|alter)/i`
			`# Pattern for UNION SELECT attempts`
			`/union\s+(?:all\s+)?select/i`
			`# Pattern for SQL batch commands`
			`/;\s*(?:drop\|alter\|create\|truncate\|rename\|insert\|update\|delete)/i`

			`# Remote file inclusion patterns`
			`# Pattern for external URL inclusion`
			`/(?:https?\|ftp\|php\|data\|file):\/\/[^\s\n"')>]+/i`
			`# Pattern for directory traversal`
			`/(?:\.\.\/\|\.\.\\\|\.\.\%2f\|\.\.\%5c)[^\s\n"')>]+/i`
			`# Pattern for PHP wrapper usage`
			`/php:\/\/(?:filter\|input\|memory\|output\|temp)/i`

			`# Command injection patterns`
			`# Pattern for shell command execution`
			/[;&\|`]\s*(?:ls\|cat\|cd\|pwd\|echo\|rm\|cp\|mv\|sudo\|chmod\|chown\|wget\|curl)/i
			`# Pattern for command substitution`
			/\$\([^\)]\)\|`[^`]`/i
			`# Pattern for direct system command injection`
			`/system\s\(\|exec\s\(\|shell_exec\s\(\|passthru\s\(\|eval\s*\(/i`

			`# Local file inclusion patterns`
			`# Pattern for path traversal`
			`/(?:\/\|\\\|\.\.\|%2f\|%5c)(?:etc\|bin\|usr\|home\|var\|root\|windows\|system32)/i`
			`# Pattern for sensitive file access`
			`/(?:\/\|\\\|\.\.\|%2f\|%5c)(?:passwd\|shadow\|hosts\|config\|wp-config\|web\.config)/i`

			`# XML/XXE injection patterns`
			`/<!(?:DOCTYPE\|ENTITY)[\s\S]?(?:SYSTEM\|PUBLIC)[\s\S]?["']/i`

			`# CSRF token extraction`
			`/(?:csrf\|xsrf\|token\|auth)["']?\s[:=]\s["']?[a-zA-Z0-9_-]+/i`

			`# Serialization attacks`
			`/[ORCo]:[0-9]+:/i`

			`# General suspicious patterns`
			`# Pattern for base64 encoded payloads`
			`/(?:[A-Za-z0-9+\/]{20,}={0,2})/`
			`# Pattern for hex encoded payloads`
			`/(?:0x[A-Fa-f0-9]{10,})/`
			`# Pattern for URL encoded characters sequence`
			`/(?:%[0-9A-Fa-f]{2}){8,}/`
			`# Pattern for large number of special characters`
			`/[!@#$%^&*()_+\-=\[\]{}\|;':",./<>?]{10,}/`