1. Yes, Track and Trace are filtered to prevent HTTP Trace attack (XST)
# The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F,L]
2. The filter above results in a 403 error when a HEAD request is made.
3. No, BPS does not attempt to block by IP, hostname, User Agent or Proxy since these are all easily spoofed/faked and instead takes an action approach to security instead of a ban approach.
4. No, BPS takes an action approach to security instead of a hiding approach to security.
SQL Injection filter below in BPS blocks all SQL Injection attacks so there is no point in changing or renaming the WP Database Table Prefix name because the attack will be blocked no matter what the Table Prefix is named.
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
5. No, because BPS takes an action approach to security. The malicious Query strings themselves are Forbidden by BPS Security filters so there is no need to attempt to rename them.
The BPS Action Security Approach:
X does bad action Y = Z is the result = Forbidden
