Could it work with allowoveride none ?

Hi Domi2015,

Of couse yes, but not perfect.

Sometimes plugin or theme authers tend to offer their services through a standalone PHP file which doesn’t load WordPress core. A lot of vulnerabilities had been disclosed among those plugins and themes (See http://www.ipgeoblock.com/article/exposure-of-wp-config-php.html). If you want to block the attacks against those type of vulnerabilities, you need server level control.

So this plugin has a functionality to “Force to load WP core” using .htaccess in order to reduce the risk of such vulnerabilities.

The difference between with and without this functionality can be found in http://www.ipgeoblock.com/codex/analysis-of-attack-vectors.html (with) and http://www.ipgeoblock.com/codex/analysis-of-attack-vectors.html (without).

I hope this helps you.

Hi Domi2015,

Thank you for the information about your server.

Is this supported by IP Geo Block ?

Unfortunately no. I have no experience with bitnami. I think we should make like a “ip-geo-block-plugins.conf” and put it outside the document root.

I’d install bitnami into my local PC and check if the conf file works. I hope you to wait until I finish my checking.

Thanks.

Hi Domi2015,

I believe the Apache .htaccess will be replaced by htaccess.conf

You’re right!

At first, I installed the “Bitnami WordPress Stack” which seems to be very strict to edit any WordPress files for security. (I should use FTP to upload any files to my local machine!!) So once I uninstalled it, then I installed “Bitnami MAMP stack” which makes me free to edit WordPress configuration files :).

The “Bitnami MAMP stack” also can handle the “htaccess.conf” file. I tested the following conf snippet in my local environment and found it works fine. I installed WordPress under the “htdocs/wordpress/“. I think you can also use it (but please replace the directory and path to fit your installation):

<Directory "/Applications/mampstack-5.6.22-0/apache2/htdocs/wordpress/wp-content/plugins">
# BEGIN IP Geo Block
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /wordpress/wp-content/plugins/ip-geo-block/
RewriteCond %{REQUEST_URI} !ip-geo-block/rewrite.php$
RewriteRule ^.*\.php$ rewrite.php [L]
</IfModule>
# END IP Geo Block
</Directory>

<Directory "/Applications/mampstack-5.6.22-0/apache2/htdocs/wordpress/wp-content/themes">
# BEGIN IP Geo Block
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /wordpress/wp-content/plugins/ip-geo-block/
RewriteRule ^.*\.php$ rewrite.php [L]
</IfModule>
# END IP Geo Block
</Directory>

The following step shows how to test your configuration.

1. Confirm your IP Geo Block settings to enable “Prevent Zero-day Exploit” for “Plugins area”.
2. Before you setup your conf file for IP Geo Block, please access to http://example.com/wp-content/plugins/ip-geo-block/samples.php which shows just “0”.
3. Setup your conf file for IP Geo Block. This will be done by putting the above configurations into your “htaccess.conf”, and then restart your bitnami server.
4. Access to http://example.com/wp-content/plugins/ip-geo-block/samples.php again. Please note that there’s a case that Varnish prevents showing the fresh page (https://wiki.bitnami.com/Applications/BitNami_Wordpress/How_to_configure_WordPress_with_Varnish). In this case, once you access your home (or clean up your browsers’s cahce) and then access to samples.php again. If you see “Forbiddne” page, then your conf file works fine.

Good luck!

You’re very welcome, at any time!