Block PHP Requests

It is a common security practice to block requests containing .php especially for websites that don't use PHP for reasons such as:

• Preventing vulnerability scanning: Attackers often scan websites for PHP files to find potential vulnerabilities. By blocking these requests, you prevent activities that look for common PHP vulnerabilities or outdated PHP applications.
• Reducing noise in logs: If your application doesn't use PHP, blocking them reduces noise in your logs and makes legitimate issues easier to spot.
• Stopping exploitation attempts: Many automated attacks target common PHP vulnerabilities in applications like WordPress, phpMyAdmin, or other PHP-based CMS systems. If you don't use these technologies, blocking PHP requests immediately stops these exploitation attempts.

1. Select your project from the Vercel dashboard and select the Firewall tab.

2. From the top right corner of the Firewall page, click the Configure button and then + New Rule.

3. Type "Block .php request paths" as Name and "Adds a rule that blocks any requests containing '.php'" as Description.

4. In the Configure section, set up the following If configuration:

   • If Request Path Contains.
   • Type .php in input box

5. Select Save Rule.

6. Apply the changes:

   • When you make any change, you will see a Review Changes button appear or update on the top right with the number of changes requested
   • Select Review Changes and review the changes to be applied
   • Select Publish to apply the changes to your production deployment

7. Observe the traffic for this rule on the Firewall overview page.

8. Update the rule's Then action to Deny and select Save Rule and apply the changes.

9. Review the live monitor. The traffic from that region should now be zero.

• Suspicious Traffic in Specific Countries
• Limit Abuse with Rate Limiting
• Emergency redirect
• WAF Examples
• WAF Custom Rules