.htaccess Part Two Security

Yesterday we started a series of guides for the amazing tool .htaccess. For those who did not read it first part, .htaccess is a small configuration file web server. Σήμερα θα δούμε πως μπορούμε να το επεξεργαστούμε για να βελτιώσουμε την ασφάλεια σε μια   WordPress.security

We will mention once again the importance of processing all the (.php, .sql) stored in a Linux environment, with the notepad ++ and not with the classic Windows notepad.

To start processing the file you need to download it to your computer. Immediately after, and after installing Notepad plus plus, a right on it will give you the option: Edit with Notepad.

Before proceeding, you need to keep a backup of the file you downloaded.

After the file is processed, there are two different storage modes.

The easiest way is to use the floppy disk icon savelocated in the upper left corner of the Notepad ++ application.

The second way you will need if you want to save .htaccess to a Windows environment with save as, or save as.

Because Windows considers that .htaccess is the file type suffix and that the missing name will prompt you to give a name to your file. B.C. name.htaccess. You can avoid using quotes.

So try saving your file as ".htaccess"htaccess 2

After the basics let's see how we can secure our WordPress site.

Let's start protecting the .htaccess itself You can use the same command to deny access to any file you want by simply changing the file name.


Block access to multiple files together (you can add more if you need)


Let's block access in the site folders

Options All -Indexes
  • To enable it instead of - we use +

That is:

Options All + Indexes

Of course, since we talk about security, forget the above command

Exclude an IP


 

Let's close some gaps now

Block any scripts with encoded commands base64_encode

RewriteCond% {QUERY_STRING} base64_encode. * (. *) [OR]

Exclude the method proc/self/about

RewriteCond% {QUERY_STRING} proc / self / environ [OR]

Protect yourself from any script trying to change php globals values

RewriteCond% {QUERY_STRING} GLOBALS (= | [|% [0-9A-Z] {0,2}) [OR]

Protection from any script trying to change value in mosConfig

RewriteCond% {QUERY_STRING} mosConfig_ [a-zA-Z _] {1,21} (= |% 3D) [OR]


Exclude attempts to change the _request variables

RewriteCond% {QUERY_STRING} _REQUEST (= | [| \% [0-9A-Z] {0,2})

Disable ping in xmlrpc.php


Block access to debug.log


Block some SpyBot (you can add whatever you want)


Prohibition of running various scripts

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

Disable Trace Track

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Block proxy links trying to comment

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]

Disable with redirect to 403 "bad" characters and known spy exploits


More specifically, Request Strings


Block SetEnvIfNoCase User-Agent


Redirect each blocked request to the original with an 403 error code

RewriteRule ^ (. *) $ Index.php [F, L]

Disable hotlinkng

RewriteEngine On # Change "mysite \ .com / with the domain of your RewriteCond% {HTTP_REFERER}! ^ Http: // (. + \.)? Mysite \ .com / [NC] RewriteCond% {HTTP_REFERER}! ^ $ # change /images/no-hotlinking.png with a photo of your own that discourages RewriteRule copycats. * \. (jpe? g | gif | bmp | png) $ /images/no-hotlinking.png [L]

We forgot something? You can add it to the comments and we will add it to the article.

End of the Second Part.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).