SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Zealot
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    180
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    htaccess protect wordpress blog

    i have found this htaccess code and wanted to know if its safe to use:
    +++++++++++++++++++++++++++++++++++++++
    HTML Code:
    RewriteEngine On
    
    # proc/self/environ? no way!
    RewriteCond %{QUERY_STRING} proc/self/environ [OR]
    
    # Block out any script trying to set a mosConfig value through the URL
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
    
    # Block out any script trying to base64_encode crap to send via URL
    RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
    
    # Block out any script that includes a <script> tag in URL
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    
    # Block out any script trying to set a PHP GLOBALS variable via URL
    RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
    
    # Block out any script trying to modify a _REQUEST variable via URL
    RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
    
    # Send all blocked request to homepage with 403 Forbidden error!
    RewriteRule ^(.*)$ index.php [F,L]
    
    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]
    
    #Options +FollowSymlinks
    RewriteEngine On
    RewriteCond %{http_host} ^yoursite.com
    RewriteRule ^(.*) http://www.yoursite.com/$1 [R=301,L]
    
    # Protect from spam bots
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
    RewriteCond %{HTTP_REFERER} !.yoursite.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
    </IfModule>
    
    # STRONG HTACCESS PROTECTION</code>
    <Files ~ "^.*\.([Hh][Tt][Aa])">
    order allow,deny
    deny from all
    satisfy all
    </Files>
    
    <IfModule mod_speling.c>
    CheckSpelling On
    </IfModule>
    
    # disable directory browsing
    Options All -Indexes
    
    <files wp-config.php>
    order allow,deny
    deny from all
    </files>

  2. #2
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,605
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    hay,

    First, let me chastise you for using (at least wanting to use) code you do not understand.

    Comments on the code:

    Code:
    RewriteEngine On
    
    # proc/self/environ? no way!
    RewriteCond %{QUERY_STRING} proc/self/environ [OR]
    
    # Block out any script trying to set a mosConfig value through the URL
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
    
    # Block out any script trying to base64_encode crap to send via URL
    RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
    
    # Block out any script that includes a <script> tag in URL
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    
    # Block out any script trying to set a PHP GLOBALS variable via URL
    RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
    
    # Block out any script trying to modify a _REQUEST variable via URL
    RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
    
    # Send all blocked request to homepage with 403 Forbidden error!
    RewriteRule ^(.*)$ index.php [F,L]
    
    All you need to Fail the request is RewriteRule .? - [F]
    It seems okay so far.
    Options +FollowSymLinks
    Why would you add this now?
    RewriteEngine On
    DITTO!
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    I thought you'd decided above to FAIL the request
    RewriteRule ^(.*)$ index.php [F,L] #Options +FollowSymlinks RewriteEngine On
    Repeat DITTO!
    RewriteCond %{http_host} ^yoursite.com
    You don't bother to specify (escape) dot characters, use end anchors or specify No Case?
    RewriteRule ^(.*) http://www.yoursite.com/$1 [R=301,L]
    I would have used RewriteRule .? http://www.yoursite.com%{REQUEST_URI} [R=301,L]
    # Protect from spam bots <IfModule mod_rewrite.c>
    [rant #4]
    The definition of an idiot is someone who repeatedly does the same thing expecting a different result. Asking Apache to confirm the existence of ANY module with an <IfModule> ... </IfModule> wrapper is the same thing in the webmaster world. DON'T BE AN IDIOT! If you don't know whether a module is enabled, run the test ONCE then REMOVE the wrapper as it is EXTREMELY wasteful of Apache's resources (and should NEVER be allowed on a shared server).
    [/rant 4]
    RewriteEngine On
    Repetitively repeat DITTO!
    RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
    Zero or more p's on the .ph?
    RewriteCond %{HTTP_REFERER} !.yoursite.com.* [OR]
    Same as above on %{HTTP_HOST}
    RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
    ... how many ISPs/hackers would use their own IP address? (Hint: Zero)
    </IfModule> # STRONG HTACCESS PROTECTION</code> <Files ~ "^.*\.([Hh][Tt][Aa])">
    Seriously? Okay, close but off enough to be ridiculous, IMHO. Just use <Files \.ht> and be done with it.
    order allow,deny deny from all satisfy all </Files> <IfModule mod_speling.c>
    [rant #4]
    The definition of an idiot is someone who repeatedly does the same thing expecting a different result. Asking Apache to confirm the existence of ANY module with an <IfModule> ... </IfModule> wrapper is the same thing in the webmaster world. DON'T BE AN IDIOT! If you don't know whether a module is enabled, run the test ONCE then REMOVE the wrapper as it is EXTREMELY wasteful of Apache's resources (and should NEVER be allowed on a shared server).
    [/rant 4]
    CheckSpelling On
    In my usage, I've not had to turn this on, only include it as a module in Apache.
    </IfModule> # disable directory browsing Options All -Indexes <files wp-config.php> order allow,deny deny from all </files>
    Whew! Sorry for the "abuse" but you asked whether it was safe or not and that demands explanations. You know me well enough to know the "abuse" isn't personal AND that I tend to get pedantic - especially about mod_rewrite code!

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  3. #3
    SitePoint Zealot
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    180
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I agree,i do not understand why use it.
    I am having problems with hostgator malwares jumping to my sites.i am wasting too much time so that's why i am bit frustrated.

    i am thinking to use Better wp security and WP-Security Admin tools by WebsiteDefender

    any recommandations?thanks

    ps:thank you for detailed explanation

  4. #4
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,605
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    hay,

    Thank you for understanding my detailed explanation. You might benefit from reading the mod_rewrite tutorial linked in my signature as it contains explanations and sample code. It's helped may members and should help you, too.

    If your site has been hacked (it has if you have malware on it), you need to clean out all malware and install the latest WP which has likely fixed the security holes. Then it's important to keep WP updated lest you have to repeat that exercise.

    If you can, check your database for illicit entries - especially in the administration area as hackers will generally give themselves admin privileges. Once those are clear, export the database to your computer, DELETE EVERYTHING, change your passwords using STRONG passwords, reinstall and replace the new database with the old. Be sure that your new password is in the database, not the old one.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  5. #5
    SitePoint Zealot
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    180
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thank you David,
    i have purchased wp secure code,can i send you for your expert advise if its safe to use or not?
    my email is khorenp[at] yahoo [dot] com

    thank you in advance

  6. #6
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,605
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    hayem,

    Thank you for that offer but, if you've paid for it, I don't believe you can provide it to anyone without violating a copyright - even for a review. If you're convinced you are allowed to do so, PM it to me and I'll PM the review back to you directly.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •