BPS htacess rule sets

A couple of questions about your implementation of htaccess through the plugin, as I must be misunderstanding the Apache documentation. I’m really interested in learning here, not to be misunderstood as challenging — I don’t pretend to have the qualifications to challenge anyone.

So first, I thought that rules set in a parent directory htaccess are applied to child directories unless specifically over-ridden. So the BPS rules in the WordPress root do apply to the subdirectory /wp-admin/. If that is a correct understanding, what is the benefit of repeating those rules in a separate htaccess file in the wp-admin directory? Are the rules not applied if the directory is accessed directly? Or is it just an abudance of caution?

More befuddling to me is that the application of rules from the parent is explicitly explained in the htaccess file created in wp-admin, when it informs the user that rules for the include directory have already been created in the root htaccess. So I start by thinking I have it right and then think I must not have it right or there wouldn’t be a lot of repeated rules.

Second, looking at the BPS UserAgent rule makes me think I may misunderstand the way rewrite conditions are evaluated.

So, in my understanding the two rules

RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader)

contain a lot of redundant evaluation.

For example in the second rule, if the string “python” appears in the user agent, the condition is satisfied. While in the first rule there is that set of pre-pended “this” OR “that” PLUS “python.”

The inclusion of python in the second rule should make its presence in the first rule unnecessary overhead, no?

Couldn’t all of the targeted strings be caught by a single condition as

RewriteCond %{HTTP_USER_AGENT} (archiver|clshttp|curl|email|extract|grab|harvest|havij|HTTrack|java|libwww-perl|loader|miner|nikto|python|scan|wget|winhttp)

Obviously I’m missing something, which could be important in hardening a site.

Also I do note that there are a few strings in one that don’t appear in the other. But if my understanding of how it’s evaluated is correct, and there is a reason to have

extract grab harvest HTTrack archiver email miner

specially connected to the prepended characters, wouldn’t it be more efficient and easier to maintain to just keep the first rule to those exceptional strings?

I’m assuming the possible reason for not unconditionally triggering on those strings is a contingency against some legitimate UA bearing the string “HTTrack” or something.

http://wordpress.org/extend/plugins/bulletproof-security/