WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] allowing access to old sub-directories with htaccess in WP Multisite (5 posts)

  1. t0mmyZ
    Member
    Posted 2 years ago #

    Hi there

    I would like to enable access to non-wordpress sub-directories that are in the same root folder as my install (multisite).

    I am using BP Security (loves) with all the protections enabled. I Also have WP Supercache enabled which adds up to a very complicated htaccess file.

    I tried different solutions to permit the access and with no success, so I figured I'll try and get help with BP Security as the htaccess file is heavily modified by it.

    here is my htaccess file, any ideas would be greatly appreciated!!!

    #   BULLETPROOF .46.4 >>>>>>> SECURE .HTACCESS     
    
    # If you edit the line of code above you will see error messages on the BPS status page
    # BPS is reading the version number in the htaccess file to validate checks
    # If you would like to change what is displayed above you
    # will need to edit the BPS functions.php file to match your changes
    # For more info see the BPS Guide at AIT-pro.com
    
    # If you are getting 500 Errors when activating BPS then comment out Options -Indexes
    Options -Indexes
    
    # BEGIN WPSuperCache
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    AddDefaultCharset UTF-8
    RewriteCond %{REQUEST_URI} !^.*[^/]$
    RewriteCond %{REQUEST_URI} !^.*//.*$
    RewriteCond %{REQUEST_METHOD} !POST
    RewriteCond %{QUERY_STRING} !.*=.*
    RewriteCond %{HTTP:Cookie} !^.*(comment_author_|wordpress_logged_in|wp-postpass_).*$
    RewriteCond %{HTTP:X-Wap-Profile} !^[a-z0-9\"]+ [NC]
    RewriteCond %{HTTP:Profile} !^[a-z0-9\"]+ [NC]
    RewriteCond %{HTTP:Accept-Encoding} gzip
    RewriteCond %{DOCUMENT_ROOT}/wp-content/cache/supercache/%{HTTP_HOST}/$1/index.html.gz -f
    RewriteRule ^(.*) "/wp-content/cache/supercache/%{HTTP_HOST}/$1/index.html.gz" [L]
    
    RewriteCond %{REQUEST_URI} !^.*[^/]$
    RewriteCond %{REQUEST_URI} !^.*//.*$
    RewriteCond %{REQUEST_METHOD} !POST
    RewriteCond %{QUERY_STRING} !.*=.*
    RewriteCond %{HTTP:Cookie} !^.*(comment_author_|wordpress_logged_in|wp-postpass_).*$
    RewriteCond %{HTTP:X-Wap-Profile} !^[a-z0-9\"]+ [NC]
    RewriteCond %{HTTP:Profile} !^[a-z0-9\"]+ [NC]
    RewriteCond %{DOCUMENT_ROOT}/wp-content/cache/supercache/%{HTTP_HOST}/$1/index.html -f
    RewriteRule ^(.*) "/wp-content/cache/supercache/%{HTTP_HOST}/$1/index.html" [L]
    </IfModule>
    # END WPSuperCache
    
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_HOST} !=dharma-gate.com
    RewriteRule ^clients(/|/.*)?$ - [NC,F]
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    # END WordPress
    
    # If you want to add a custom 403 Forbidden page for your website uncomment the
    # ErrorDocument line of code below and copy the ait-pro.com example forbidden
    # HTML page to your correct website folder. See the BPS Help and FAQ page for
    # detailed instructions on how to do this. If your Theme 404 template is named
    # 404.php then you can uncomment the 404 line below now. If your 404 template is
    # named some other file name then change 404.php to the name of your 404 template
    # name and uncomment the 404 line of code below.
    # ErrorDocument 403 /forbidden.html
    # ErrorDocument 404 /404.php
    
    # Plugin conflicts will be handled case by case
    # You can leave the plugin fixes code intact just in case you install one of these plugins
    # at a later time. Thousands of lines of htaccess code can be read in milliseconds
    # so leaving the code intact does not slow down your website performance at all.
    # Thousands of plugins have been tested with BPS and the plugin conflict fixes
    # contained in this BPS master file are permanent fixes for conflicts found with
    # these plugins. If you use AutoMagic to create this file then your correct WordPress installation
    # folder name will be automatically added to the plugin fixes that need a WP folder name.
    # If you choose to manually edit this file instead of using AutoMagic be sure to add your
    # WordPress installation folder name to the fixes that require your WordPress folder name.
    # Your WordPress installation folder name can be found on the System Info page. If you only see
    # a forward slash then you have a root folder installation and do not need to add a folder name.
    
    # redirect_to= string fix - fixes issues with plugins that use the redirect_to= string
    RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
    RewriteRule . - [S=30]
    
    # Login Plugins Password Reset And Redirect Conflicts Fix 1
    RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
    RewriteRule . - [S=30]
    
    # Login Plugins Password Reset And Redirect Conflicts Fix 2
    RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
    RewriteRule . - [S=30]
    
    # BuddyPress Logout Redirect fix - skip BPS Filters on Logout link Redirect
    # WordPress 3.0.4 or higher must be installed for this fix to work
    RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
    RewriteRule . - [S=30]
    
    # Ozh' Admin Drop Down Menu Display Fix
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/ozh-admin-drop-down-menu/ [NC]
    RewriteRule . - [S=30]
    
    # ComicPress Manager ComicPress Theme Image Fix
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/comicpress-manager/ [NC]
    RewriteRule . - [S=30]
    
    # TimThumb and all other Thumbnailer Images not displaying - Red X instead of Images
    # If your theme uses an image thumbnailer script file this fix will work to display images correctly
    # as long as thumb is part of the file name like timthumb.php, thumb.php, thumbs.php or phpthumb.php
    RewriteCond %{REQUEST_FILENAME} ^(.*)thumb(.*)$ [NC]
    RewriteRule ^(.*)$ - [S=30]
    
    # YAPB Image Display fix
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/yet-another-photoblog/ [NC]
    RewriteRule . - [S=30]
    
    # WordPress.com Stats Flash SWF Graph Does Not Load Fix
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stats/ [NC]
    RewriteRule . - [S=30]
    
    # Status Updater plugin fix
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC]
    RewriteRule . - [S=30]
    
    # wp-extplorer login fix
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-extplorer/ [NC]
    RewriteRule . - [S=30]
    
    # Adminer MySQL management tool fix
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
    RewriteRule . - [S=30]
    
    # Peters Custom Anti-Spam Image fix
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC]
    RewriteRule . - [S=30]
    
    # Stream Video Player - Adding FLV Videos is Blocked By BPS
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
    RewriteRule . - [S=30]
    
    # FeedWordPress - ?update_feedwordpress= String Blocked
    RewriteCond %{QUERY_STRING} update_feedwordpress=(.*) [NC]
    RewriteRule . - [S=30]
    
    # XCloner 404 or 403 error when updating settings
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
    RewriteRule . - [S=30]
    
    # podPress rewrite ?feed=podcast as /feed/podcast
    # If you are using a custom slug then add the slug name to the rewriterule
    # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
    RewriteCond %{QUERY_STRING} feed=podcast [NC]
    RewriteRule (.*) /feed/podcast/$1? [R=301,L]
    
    # podPress rewrite ?feed=enhancedpodcast as /feed/enhancedpodcast
    # If you are using a custom slug then add the slug name to the rewriterule
    # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
    RewriteCond %{QUERY_STRING} feed=enhancedpodcast [NC]
    RewriteRule (.*) /feed/enhancedpodcast/$1? [R=301,L]
    
    # podPress rewrite ?feed=torrent as /feed/torrent
    # If you are using a custom slug then add the slug name to the rewriterule
    # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
    RewriteCond %{QUERY_STRING} feed=torrent [NC]
    RewriteRule (.*) /feed/torrent/$1? [R=301,L]
    
    # podPress rewrite ?feed=premium as /feed/premium
    # If you are using a custom slug then add the slug name to the rewriterule
    # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
    RewriteCond %{QUERY_STRING} feed=premimum [NC]
    RewriteRule (.*) /feed/premium/$1? [R=301,L]
    
    # FILTER REQUEST METHODS
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
    RewriteRule ^(.*)$ - [F,L]
    
    # QUERY STRING EXPLOITS
    RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
    RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
    RewriteCond %{QUERY_STRING} tag\= [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
    RewriteCond %{QUERY_STRING} http\:  [NC,OR]
    RewriteCond %{QUERY_STRING} https\:  [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC]
    RewriteRule ^(.*)$ - [F,L]
    
    # Deny Access to wp-config.php, bb-config.php, /wp-admin/install.php, all .htaccess files
    # php.ini, php5.ini and the WordPress readme.html installation file.
    # To allow ONLY yourself access to these files add your current IP address below to the
    # Allow from line of code and remove the # sign in front of Allow from to uncomment it
    <FilesMatch "^(wp-config\.php|install\.php|\.htaccess|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
     Deny from all
    # Allow from 88.55.66.200
    </FilesMatch>

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. t0mmyZ
    Member
    Posted 2 years ago #

    in there I have one of the solutions I tried to implement to allow access to a folder called clients:

    RewriteCond %{HTTP_HOST} !=dharma-gate.com
    RewriteRule ^clients(/|/.*)?$ - [NC,F]

    I have placed it right after:

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On

    so far it has not worked.

  3. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    You are saying that you want to allow access, but the htaccess RewriteRule says Forbid access.
    RewriteRule ^clients(/|/.*)?$ - [NC,F]

    Are you trying to remove all the security filters from being applied to the clients folder? If so, then you would probably want to use a skip rule instead.

    Possible solutions:
    RewriteRule ^clients(/|/.*)?$ - [S=30]

    RewriteCond %{REQUEST_URI} ^/clients/ [NC]
    RewriteRule . - [S=30]

    RewriteCond %{REQUEST_URI} ^/(clients|blah|foo|bar) [NC]
    RewriteRule . - [S=30]

    Also you can always add another .htaccess file in specific directories to cancel out the Security Exploit Filters and URL rewriting from the parent directory.

    if you upload a simple one line .htaccess file to the folder /clients

    # Turn off URL rewriting for /clients folder
    RewriteEngine Off

    This will turn off all RewriteRules for only the /clients folder.
    thanks.

  4. t0mmyZ
    Member
    Posted 2 years ago #

    Hi AITPro

    Much thanks for your help on this matter. Yes I did have the F flag in there which forbid access to the folder. I tried so many solutions that this might have sneaked in there.

    It turned out that my problem was coming from the statement preventing access to install.php by BP Security. See I was trying to install a php script in /clients/ so no how much I tried to grant access to it, this line prevented it:

    <FilesMatch "^(wp-config\.php|install\.php|\.htaccess|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
    Deny from all

    so I added an allow statement there for my ip and everything is golden now.

    Thanks again for your help,

    Tom

  5. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    Oh wow.
    Yeah i need to create a separate rule for the /wp-admin/install.php file. The FilesMatch rule is too broad as you just found out the hard way. Sorry about that. ;)
    I will add this to my fixes list for the next version release of BPS.
    This actually seems like the best way to go...
    Remove install.php from the root .htaccess files FilesMatch section and add this to the /wp-admin .htaccess file.

    # Deny Access to /wp-admin/install.php
    # To allow ONLY yourself access to the /wp-admin/install.php file add your current IP address below to the
    # Allow from line of code and remove the # sign in front of Allow from to uncomment it
    <FilesMatch "^(install\.php)">
    Deny from all
    # Allow from 88.77.66.55
    </FilesMatch>

    Thanks.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic