Yesterday we started a series of guides for the amazing tool .htaccess. For those who did not read it first part, .htaccess is a small configuration file of the Apache web server. Today we will see how we can edit it to improve security in a WordPress installation.
We will once again mention its importance processingof all files (.php, .sql) stored in a Linux environment, with the editor notepad ++ and not with the classic Windows notepad.
To start processing the file you need to download it to your computer. Immediately after, and after installing Notepad plus plus, a right click on it will give you the choice: Edit with Notepad.
Before proceeding, you need to keep a backup of the file you downloaded.
After editing the file there are two different storage methods.
The easiest way is to use the floppy disk icon located in the upper left corner of the Notepad ++ application.
The second way you will need if you want to save .htaccess to a Windows environment with save as, or save as.
Because Windows considers that .htaccess is the file type suffix and that the missing name will prompt you to give a name to your file. B.C. name.htaccess. You can avoid using quotes.
So try saving your file as ".htaccess"
After the basics let's see how we can secure our WordPress site.
Let's start protecting the .htaccess itself You can use the same command to deny access to any file you want by simply changing the file name.
order allow, deny deny from all
Block access to multiple files together (you can add more if you need)
Order Allow, Deny Deny from all
Let's exclude browser access to the site's folders
Options All -Indexes
- To enable it instead of - we use +
That is:
Options All + Indexes
Of course, since we talk about security, forget the above command
Exclude an IP
order allow,deny deny from xxx.xxx.xxx.xxx allow from all
Let's close some gaps now
Block any scripts with encoded commands base64_encode
RewriteCond% {QUERY_STRING} base64_encode. * (. *) [OR]
Exclude the method proc/self/about
RewriteCond% {QUERY_STRING} proc / self / environ [OR]
Protect yourself from any script trying to change php globals values
RewriteCond% {QUERY_STRING} GLOBALS (= | [|% [0-9A-Z] {0,2}) [OR]
Protection from any script trying to change value in mosConfig
RewriteCond% {QUERY_STRING} mosConfig_ [a-zA-Z _] {1,21} (= |% 3D) [OR]
Block any URL that contains the tag
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
Αποκλείστε απόπειρες αλλαγής των μεταβλητών _request
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
Απενεργοποίηση των ping στο xmlrpc.php
order deny,allow deny from all
Αποκλεισμός πρόσβασης στο debug.log
order deny,allow deny from all
Αποκλεισμός ορισμένων SpyBot (μπορείτε να προσθέσετε όσα θέλετε)
RewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^SquigglebotBot [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^SurveyBot [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^YottaShopping_Bot [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^webcrawl\.net [NC] RewriteRule ^(.*)$ - [F,L]
Απαγόρευση εκτέλεσης διάφορων scripts
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI
Απενεργοποίηση του Trace Track
RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F]
Αποκλεισμός συνδέσεων με proxy που προσπαθούν να σχολιάσουν
RewriteCond %{REQUEST_METHOD} =POST RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR] RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$ RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC] RewriteRule .* - [F,NS,L]
Απενεργοποίηση με redirect σε 403 “κακών” χαρακτήρων και γνωστών κατασκοπευτικών exploit
RedirectMatch 403 \, RedirectMatch 403 \: RedirectMatch 403 \; RedirectMatch 403 \= RedirectMatch 403 \@ RedirectMatch 403 \[ RedirectMatch 403 \] RedirectMatch 403 \^ RedirectMatch 403 \` RedirectMatch 403 \{ RedirectMatch 403 \} RedirectMatch 403 \~ RedirectMatch 403 \" RedirectMatch 403 \$ RedirectMatch 403 \< RedirectMatch 403 \> RedirectMatch 403 \| RedirectMatch 403 \.\. RedirectMatch 403 \%0 RedirectMatch 403 \%A RedirectMatch 403 \%B RedirectMatch 403 \%C RedirectMatch 403 \%D RedirectMatch 403 \%E RedirectMatch 403 \%F RedirectMatch 403 \%22 RedirectMatch 403 \%27 RedirectMatch 403 \%28 RedirectMatch 403 \%29 RedirectMatch 403 \%3C RedirectMatch 403 \%3E RedirectMatch 403 \%3F RedirectMatch 403 \%5B RedirectMatch 403 \%5C RedirectMatch 403 \%5D RedirectMatch 403 \%7B RedirectMatch 403 \%7C RedirectMatch 403 \%7D # COMMON PATTERNS Redirectmatch 403 \_vpi RedirectMatch 403 \.inc Redirectmatch 403 xAou6 Redirectmatch 403 db\_name Redirectmatch 403 select\( Redirectmatch 403 convert\( Redirectmatch 403 \/query\/ RedirectMatch 403 ImpEvData Redirectmatch 403 \.XMLHTTP Redirectmatch 403 proxydeny RedirectMatch 403 function\. Redirectmatch 403 remoteFile Redirectmatch 403 servername Redirectmatch 403 \&rptmode\= Redirectmatch 403 sys\_cpanel RedirectMatch 403 db\_connect RedirectMatch 403 doeditconfig RedirectMatch 403 check\_proxy Redirectmatch 403 system\_user Redirectmatch 403 \/\(null\)\/ Redirectmatch 403 clientrequest Redirectmatch 403 option\_value RedirectMatch 403 ref\.outcontrol # Συγκεκριμένα Exploits RedirectMatch 403 errors\. RedirectMatch 403 config\. RedirectMatch 403 include\. RedirectMatch 403 display\. RedirectMatch 403 register\. Redirectmatch 403 password\. RedirectMatch 403 maincore\. RedirectMatch 403 authorize\. Redirectmatch 403 macromates\. RedirectMatch 403 head\_auth\. RedirectMatch 403 submit\_links\. RedirectMatch 403 change\_action\. Redirectmatch 403 com\_facileforms\/ RedirectMatch 403 admin\_db\_utilities\. RedirectMatch 403 admin\.webring\.docs\. Redirectmatch 403 Table\/Latest\/index\.
Πιο συγκεκριμένα Request Strings
RedirectMatch 403 (https?|ftp|php)\:// RedirectMatch 403 /(https?|ima|ucp)/ RedirectMatch 403 /(Permanent|Better)$ RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$ RedirectMatch 403 (\,|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\||\\\"\\\") RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$ RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php$ RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107\_) RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae|config\.xml) RedirectMatch 403 \.well\-known/host\-meta RedirectMatch 403 /function\.array\-rand RedirectMatch 403 \)\;\$\(this\)\.html\( RedirectMatch 403 proc/self/environ RedirectMatch 403 msnbot\.htm\)\.\_ RedirectMatch 403 /ref\.outcontrol RedirectMatch 403 com\_cropimage RedirectMatch 403 indonesia\.htm RedirectMatch 403 \{\$itemURL\} RedirectMatch 403 function\(\) RedirectMatch 403 labels\.rdf RedirectMatch 403 /playing.php RedirectMatch 403 muieblackcat
Αποκλεισμός του SetEnvIfNoCase User-Agent
# SetEnvIfNoCase User-Agent ^$ keep_out SetEnvIfNoCase User-Agent (binlar|casper|cmsworldmap|comodo|diavol|dotbot|feedfinder|flicky|ia_archiver|jakarta|kmccrew|nutch|planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspider|zmeu) keep_out Order Allow,Deny Allow from all Deny from env=keep_out
Ανακατεύθυνση κάθε αποκλεισμένης αίτησης στην αρχική με κωδικό σφάλματος 403
RewriteRule ^(.*)$ index.php [F,L]
Απενεργοποίηση του hotlinkng
RewriteEngine On #Αλλάξτε το ?mysite\.com/ με το domain της σελίδας σας RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC] RewriteCond %{HTTP_REFERER} !^$ #αλλάξτε το /images/no-hotlinking.png με μια δική σας φωτογραφία που αποθαρρύνει τους copycats RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/no-hotlinking.png [L]
Ξεχάσαμε κάτι; Μπορείτε να το προσθέσετε στα σχόλια και εμείς θα το προσθέσουμε στο άρθρο.
Τέλος Δεύτερου Μέρους.