Secure .htaccess example - Keep your blog secure!

7 replies
This is the .htaccess file I am currently using. I have included measures here to prevent directory browsing, script injection, white-space in URLs and query strings, and access to a couple of key configuration files.

Code:
# Use PHP5 Single php.ini as default
AddHandler application/x-httpd-php5s .php

# BEGIN WordPress

# END WordPress

Options ExecCGI Includes IncludesNOEXEC SymLinksIfOwnerMatch -Indexes
Options +FollowSymLinks

<Files wp-config.php>
   order allow,deny
   deny from all
</Files>

<Files .htaccess>
   order allow,deny
   deny from all
</Files>

<IfModule mod_rewrite.c>
   RewriteCond %{REQUEST_URI} !^/$
   RewriteCond %{QUERY_STRING} \s
   RewriteRule .* - [F,L]
</IfModule>

<IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
   RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
   RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
   RewriteRule ^(.*)$ index.php [F,L]
</IfModule>
If anyone has better knowledge of .htaccess syntax, I'd love to see a cleaned up version of this!

Thanks
#blog #htaccess #secure
  • Profile picture of the author LocoDice
    This is working on an assumption you have Wordpress based on the:

    Code:
    <Files wp-config.php>
    Signature
    codefixit.com - Help with your HTML, Wordpress and Web Hosting problems - No fix, no fee.
    {{ DiscussionBoard.errors[6869853].message }}
  • Profile picture of the author HolyWarrior
    Huh... I'm really uncertain overall, but I was actually just installing some security plugins into my WordPress blog, and the .htaccess file was a key component that was addressed.
    {{ DiscussionBoard.errors[6871003].message }}
    • Profile picture of the author BAC
      Originally Posted by HolyWarrior View Post

      Huh... I'm really uncertain overall, but I was actually just installing some security plugins into my WordPress blog, and the .htaccess file was a key component that was addressed.
      Modifying .htaccess file may harm to your entire blog , backup before editing and me also using security plugin for my wordpress site
      Signature

      Get Content Targeted Super Real Traffic to Boost your Adsense Revenue!

      {{ DiscussionBoard.errors[6871484].message }}
  • I find that the following free WP plugins do an excellent job of keeping my blogs secure:

    1. BulletProof Security
    2. Secure WordPress
    3. Wordpress Firewall 2

    There are also pro (paid) versions available for some of them although, up to now, I haven't found the need to upgrade.

    Chow chow,
    Kevin
    {{ DiscussionBoard.errors[6871640].message }}
  • Profile picture of the author SuzanneH
    Watch out with WP security plugins -- some end up blocking Googlebot, thinking it's an attack on the site.

    Suzanne
    {{ DiscussionBoard.errors[6871731].message }}
  • Profile picture of the author Siham Cham
    Never seen such big .htaccess file.Hope it is secure enough.
    {{ DiscussionBoard.errors[6871738].message }}
    • Profile picture of the author gerardhevey
      Check out 5G Blacklist 2012 : Perishable Press
      Firewall for wordpress.

      # 5G BLACKLIST/FIREWALL
      # @ 5G Blacklist 2012 : Perishable Press

      # 5G:[QUERY STRINGS]
      <ifModule mod_rewrite.c>
      RewriteEngine On
      RewriteBase /
      RewriteCond %{QUERY_STRING} (environ|localhost|mosconfig|scanner) [NC,OR]
      RewriteCond %{QUERY_STRING} (menu|mod|path|tag)\=\.?/? [NC,OR]
      RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
      RewriteCond %{QUERY_STRING} echo.*kae [NC,OR]
      RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
      RewriteCond %{QUERY_STRING} \=\\%27$ [NC,OR]
      RewriteCond %{QUERY_STRING} \=\\\'$ [NC,OR]
      RewriteCond %{QUERY_STRING} \.\./ [NC,OR]
      RewriteCond %{QUERY_STRING} \? [NC,OR]
      RewriteCond %{QUERY_STRING} \: [NC,OR]
      RewriteCond %{QUERY_STRING} \[ [NC,OR]
      RewriteCond %{QUERY_STRING} \] [NC]
      RewriteRule .* - [F]
      </ifModule>

      # 5G:[USER AGENTS]
      <ifModule mod_setenvif.c>
      SetEnvIfNoCase User-Agent ^$ keep_out
      SetEnvIfNoCase User-Agent (casper|cmsworldmap|diavol|dotbot) keep_out
      SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
      SetEnvIfNoCase User-Agent (libwww|planetwork|pycurl|skygrid) keep_out
      SetEnvIfNoCase User-Agent (purebot|comodo|feedfinder|turnit) keep_out
      SetEnvIfNoCase User-Agent (zmeu|nutch|vikspider|binlar|sucker) keep_out
      <limit GET POST PUT>
      Order Allow,Deny
      Allow from all
      Deny from env=keep_out
      </limit>
      </ifModule>

      # 5G:[REQUEST STRINGS]
      <ifModule mod_alias.c>
      RedirectMatch 403 (https?|ftp|php)\://
      RedirectMatch 403 /(cgi|https?|ima|ucp)/
      RedirectMatch 403 /(Permanent|Better)$
      RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$
      RedirectMatch 403 (\,|//|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\||\\\"\\\")
      RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
      RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php$
      RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107\_)
      RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae|config\.xml)
      RedirectMatch 403 \.well\-known/host\-meta
      RedirectMatch 403 /function\.array\-rand
      RedirectMatch 403 \)\;\$\(this\)\.html\(
      RedirectMatch 403 proc/self/environ
      RedirectMatch 403 msnbot\.htm\)\.\_
      RedirectMatch 403 /ref\.outcontrol
      RedirectMatch 403 com\_cropimage
      RedirectMatch 403 indonesia\.htm
      RedirectMatch 403 \{\$itemURL\}
      RedirectMatch 403 function\(\)
      RedirectMatch 403 labels\.rdf
      RedirectMatch 403 /playing.php
      RedirectMatch 403 muieblackcat
      </ifModule>

      # 5G:[BAD IPS]
      <limit GET POST PUT>
      Order Allow,Deny
      Allow from all
      # uncomment/edit/repeat next line to block IPs
      # Deny from 123.456.789
      </limit>

      # 5G:[WordPress]
      <ifModule mod_rewrite.c>
      RedirectMatch 403 /\$\&
      RedirectMatch 403 (?i)/\&(t|title)=
      RedirectMatch 403 (?i)/\.(bash|git|hg|log|svn|swp|tar)
      RedirectMatch 403 (?i)/(1|contact|i|index1|iprober|phpinfo|phpspy|product |signup|t|test|timthumb|tz|visit|webshell|wp-signup).php
      RedirectMatch 403 (?i)/(author-panel|class|database|manage|phpMyAdmin|register|su bmit-articles|system|usage|webmaster)/?$
      RedirectMatch 403 (?i)/(=|_mm|cgi|cvs|dbscripts|jsp|rnd|shadow|userfiles)
      </ifModule>
      {{ DiscussionBoard.errors[6876030].message }}

Trending Topics