Aaditya Sudra - Digital Marketing Professional In Mumbai, Maharashtra, India
Share This
Scroll Down
Back to blogs
//Post title

Advanced Mod_Rewrites Example From Wordpress Plugins

Here are some specific .htaccess examples taken mostly from WordPress Password Protection plugin, which does a lot more than password protection as you will see from the following mod_rewrite examples. These are a few of the mod_rewrite uses that BlogSecurity declared pushed the boundaries of Mod_Rewrite! Some of these snippets are quite exotic and unlike anything, you may have seen before, also only for those who understand them as they can kill a website pretty quick.

#1 - Directory Protection

Enable the DirectoryIndex Protection, preventing directory index listings and defaulting.

Options -Indexes
DirectoryIndex index.html index.php /index.php

 

#2 - Password Protect wp-login.php

Requires a valid user/pass to access the login page

<Files wp-login.php>
Order Deny,Allow
Deny from All
Satisfy Any
AuthName "Protected By YourDomain"
AuthUserFile /web/YourDomain.com/.htpasswda1
AuthType Basic
Require valid-user
</Files>

 

#3 - Password Protect wp-admin

Requires a valid user/pass to access any non-static (CSS, js, images) file in this directory.

Options -ExecCGI -Indexes +FollowSymLinks -Includes
DirectoryIndex index.php /index.php
Order Deny,Allow
Deny from All
Satisfy Any
AuthName "Protected By YourDomain"
AuthUserFile /web/YourDomain.com/.htpasswda1
AuthType Basic
Require valid-user
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|mp3|mpg|mp4|mov|wav|wmv|png|gif|swf|css|js)$">
Allow from All
</FilesMatch>
<FilesMatch "(async-upload)\.php$">
<IfModule mod_security.c>
SecFilterEngine Off
</IfModule>
Allow from All
</FilesMatch>

 

#4 - Protect wp-content

Denies any Direct request for files ending in .php with a 403 Forbidden. May break plugins/themes 

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-content/.*$ [NC]
RewriteCond %{REQUEST_FILENAME} !^.+flexible-upload-wp25js.php$
RewriteCond %{REQUEST_FILENAME} ^.+\.(php|html|htm|txt)$
RewriteRule .? - [F,NS,L]

 

#5 - Protect wp-includes

Denies any Direct request for files ending in .php with a 403 Forbidden. May break plugins/themes

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-includes/.*$ [NC]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ /wp-includes/js/.+/.+\ HTTP/ [NC]
RewriteCond %{REQUEST_FILENAME} ^.+\.php$
RewriteRule .? - [F,NS,L]

 

#6 - Common Exploits

Block common exploit requests with 403 Forbidden. These can help a lot, may break some plugins.

RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ ///.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\=?(http|ftp|ssl|https):/.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\?.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(asp|ini|dll).*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(htpasswd|htaccess|dehtpasswd).*\ HTTP/ [NC]
RewriteRule .? - [F,NS,L]

 

#7 - Stop Hotlinking

Denies any request for static files (images, CSS, etc) if the referrer is not local site or empty. 

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{HTTP_REFERER} !^https://www.YourDomain.com.*$ [NC]
RewriteRule \.(ico|pdf|flv|jpg|jpeg|mp3|mpg|mp4|mov|wav|wmv|png|gif|swf|css|js)$ - [F,NS,L]

 

#8 - Safe Request Methods

Denies any request not using

RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|PROPFIND|OPTIONS|PUT)$ [NC]
RewriteRule .? - [F,NS,L]

 

#9 - Forbid Proxies

Denies any POST Request using a Proxy Server. Can still access the site, but not comment.

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .? - [F,NS,L]

 

#10 - Real wp-comments-post.php

Denies any POST attempt made to a non-existing wp-comments-post.php

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC]
RewriteRule .? - [F,NS,L]

 

And now we will cover further in the next part. Keep in touch. Please do share any of your best Feedback, suggestions or view in the comment section below.

 

 

 

 

      1 years ago      Aaditya Sudra     16791     0   
No comment
Leave A Comment

Ready To Discuss Your Project ?

Get in Touch