8 {{ upvoteCount | shortNum }}
8 {{ upvoteCount | shortNum }}

A nice .htaccess protection mechanism

by bydomino
5 replies
Howdy all,

There are several WP hacks that attempt to exploit some plugin or add-on. They usually try to run the plugin with the exploit and then gain access to another file up the server directory structure via parameters. Using something like:
&view=../../../../../../../../../../etc/passwd

We wrote this little nugget to help stop this.

# Block attempts with ../../ and other QS args
RewriteCond %{QUERY_STRING} \.\./ [OR]
RewriteCond %{QUERY_STRING} (https?|ftp)(\:|\%3A) [OR]

Please feel free to use it in your sites.

Another nice security trick, if you have a reseller account or your own server is to save your important config file with root or your main reseller account.

That way if someone does hack a plug in or your WP site then they will not be able to overwrite your .htaccess or other important files. Sure this is more work for you but you hardly ever edit these files.


I hope this helps,

Kevin
#htaccess #mechanism #nice #protection
  • Profile picture of the author Sojourn
    I spent hours last week researching .htaccess tips for WP security and it was all so confusing I ended up doing nothing other than installing a plug-in called Bad Behavior to at least stop some spam bots.

    Can I pick your brain a bit and ask you to describe the different arguments and terms in this query? What do they DO exactly? I think I understand but I don't want to make any assumptions and I'm a complete noob about .htaccess. I know just enough to know that I should learn more.
    Signature
    Free blogging guide with clone site | Currently running: 6 Mos Amazon Affiliate Coaching
    {{ DiscussionBoard.errors[2209088].message }}
    • Profile picture of the author bydomino
      I have taken some lines from one of my general .htaccess protection files and explained them line by line. I also have added some great links that will help you get on your way.


      Basics:
      The RewriteCond directive defines a single condition (test for it) If so, then the system will in sted do the following
      RewriteRule.

      You can stack several conditions in a row, one per line.
      The # acts like a comment

      ============== Start ===================
      # mod_rewrite in use

      RewriteEngine On
      #ByD - This turns on the rewrite function

      # Redirect all non www to www
      RewriteCond %{HTTP_HOST} !^www\. [NC]
      #ByD - this is using the server variable HTTP_HOST and using regex to check when there is not "www."
      #ByD - the [NC] means that we are testing for any case
      #ByD - if this is true then we stop and go find the very next ReWriteRule and execute it

      RewriteRule (.*) http://www.%{HTTP_HOST}/$1 [R=301,L]
      #ByD - this is the very next RewriteRule
      #ByD - This takes every character (.*) and replace it with the http://www. then the domain and then a / and the rest of what was there
      #ByD - The [R=301,L] means redirect the client and send a 301 status code (R=301) and make this the last rule (L).


      RewriteCond %{QUERY_STRING} \.\./ [OR]
      #ByD - this starts a new set of RewriteCond
      #ByD - this first one loooks at the query_string variable - (all the prameters after the "?") and checks for the occurance of ./
      #ByD - again if this is true then we stop and go find the very next ReWriteRule and execute it
      #ByD - the [OR] means that the remaining test Rewrite conditions are tested with a logical OR and not the standard AND

      RewriteCond %{QUERY_STRING} (https?|ftp)(\:|\%3A) [OR]
      #ByD - this look in query_string for https or ftp or the urlencoded version of ./
      #ByD - again if this is true then we stop and go find the very next ReWriteRule and execute it
      #ByD - the [OR] means that the remaining test Rewrite conditions are tested with a logical OR and not the standard AND

      #ByD - there are many more conditions some good ones you can fine for WP are here:
      # .htaccess Plugin Blocks Spam, Hackers, and Password Protects Blog


      #ByD - After all of your RewriteCond yo uwil lwant to send the user/hacker some where. Many send them this
      RewriteRule .* - [F,NS,L]
      #ByD - this will send a 403 FORBIDDEN
      #ByD - I do not like that becasue it tells the hacker that you know what he did and you spanked him for it
      #ByD - I believe in trying not to upset the hacker or give him a challange. I Usually just give them this
      RewriteRule ^(.*)$ index.php [L]
      #ByD - this will just send him back the home page. Maybe he made an error, who know but it is innocent.

      ========= Finish =================


      A great .HTaccess cheat sheet can be found here:
      mod_rewrite Cheat Sheet (V2) - Added Bytes


      There is a good WP plugin for this too :
      WordPress Firewall Plugin » SEO Egghead



      Here is a great set of WP rules (some are just for anything)

      # Deny exploit using bogus graphics
      RewriteCond %{HTTP:Content-Disposition} \.php [NC]
      RewriteCond %{HTTP:Content-Type} image/.+ [NC]
      RewriteRule .* - [F,NS,L]

      # Deny requests with no host header
      RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
      RewriteCond %{HTTP_HOST} ^$
      RewriteRule .* - [F,NS,L]

      # Deny bad content type
      RewriteCond %{REQUEST_METHOD} =POST
      RewriteCond %{HTTP:Content-Type} !^(application/x-www-form-urlencoded|multipart/form-data.*(boundary.*)?)$ [NC]
      RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
      RewriteRule .* - [F,NS,L]

      # Deny common exploits
      RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
      RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ ///.*\ HTTP/ [NC,OR]
      RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\=?(http|ftp|ssl|https):/.*\ HTTP/ [NC,OR]
      RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\?.*\ HTTP/ [NC,OR]
      RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(asp|ini|dll).*\ HTTP/ [NC,OR]
      RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(htpasswd|htaccess|aahtpasswd).*\ HTTP/ [NC]
      RewriteRule .* - [F,NS,L]

      # Deny unsafe characters
      RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
      RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [a-zA-Z0-9\.\+_/\-\?\=\&]+\ HTTP/ [NC]
      RewriteRule .* - [F,NS,L]


      I hope this helps you and others - Stay Stay safe and hack free,

      Kevin
      {{ DiscussionBoard.errors[2209641].message }}
      • Profile picture of the author Sojourn
        Originally Posted by bydomino View Post

        #ByD - I believe in trying not to upset the hacker or give him a challenge.
        Wow, Kevin! Exactly what I needed. That bit about not challenging or irritating the hacker is probably priceless.

        WP security is one thing that keeps me up at night. I've done a few minor things but I know it isn't enough. I do back up my sites periodically and I always update WP versions and plug ins immediately but there are a few sites that provide the bulk of my income and if I lost those for any length of time, my family would pay the price.

        The time you took to provide this information is very much appreciated. You know what I'll be doing today. (.htaccess file here I come!)

        Thanks!

        Erica
        Signature
        Free blogging guide with clone site | Currently running: 6 Mos Amazon Affiliate Coaching
        {{ DiscussionBoard.errors[2210579].message }}
  • Profile picture of the author InternetSuccess001
    Hmm, thanks, looks interesting...
    Signature
    Pick a product. Pick ANY product! -> 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
    {{ DiscussionBoard.errors[2210013].message }}
  • Profile picture of the author alexbbbh
    Thanks for the nice tips on security. These are always welcomed.
    {{ DiscussionBoard.errors[2210786].message }}

Trending Topics