Support » Plugin: BulletProof Security » BPS htacess rule sets

  • Resolved gwc_wd


    A couple of questions about your implementation of htaccess through the plugin, as I must be misunderstanding the Apache documentation. I’m really interested in learning here, not to be misunderstood as challenging — I don’t pretend to have the qualifications to challenge anyone.

    So first, I thought that rules set in a parent directory htaccess are applied to child directories unless specifically over-ridden. So the BPS rules in the WordPress root do apply to the subdirectory /wp-admin/. If that is a correct understanding, what is the benefit of repeating those rules in a separate htaccess file in the wp-admin directory? Are the rules not applied if the directory is accessed directly? Or is it just an abudance of caution?

    More befuddling to me is that the application of rules from the parent is explicitly explained in the htaccess file created in wp-admin, when it informs the user that rules for the include directory have already been created in the root htaccess. So I start by thinking I have it right and then think I must not have it right or there wouldn’t be a lot of repeated rules.

    Second, looking at the BPS UserAgent rule makes me think I may misunderstand the way rewrite conditions are evaluated.

    So, in my understanding the two rules

    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader)

    contain a lot of redundant evaluation.

    For example in the second rule, if the string “python” appears in the user agent, the condition is satisfied. While in the first rule there is that set of pre-pended “this” OR “that” PLUS “python.”

    The inclusion of python in the second rule should make its presence in the first rule unnecessary overhead, no?

    Couldn’t all of the targeted strings be caught by a single condition as

    RewriteCond %{HTTP_USER_AGENT} (archiver|clshttp|curl|email|extract|grab|harvest|havij|HTTrack|java|libwww-perl|loader|miner|nikto|python|scan|wget|winhttp)

    Obviously I’m missing something, which could be important in hardening a site.

    Also I do note that there are a few strings in one that don’t appear in the other. But if my understanding of how it’s evaluated is correct, and there is a reason to have

    extract grab harvest HTTrack archiver email miner

    specially connected to the prepended characters, wouldn’t it be more efficient and easier to maintain to just keep the first rule to those exceptional strings?

    I’m assuming the possible reason for not unconditionally triggering on those strings is a contingency against some legitimate UA bearing the string “HTTrack” or something.

Viewing 3 replies - 1 through 3 (of 3 total)
  • For some reason my ability to edit is not working. Note that I realize in some places I used the word “rule” when I should have used “condition.”

    Plugin Author AITpro


    Yes, htaccess files are recursive and heirarchical, but if an htaccess file exists in a subfolder of the parent folder and the rules / conditions in that subfolder’s htaccess file are followed instead of the parent htaccess file in the case of the BPS root vs wp-admin htaccess files. I do not want to go too deep here. You can find exact specific technical details here >>>

    Yep, your are correct and the reason there are 2 rules instead of one is to allow folks different levels of control/filtering. For example some folks comment out the second UA condition entirely because it is too general.

    There is a lot of redundancy that someday i will have time to go through and perfect. Also another intended purpose was to show folks examples of what they could do/add in addition to the standard BPS .htaccess code.

    Plugin Author AITpro


    Resolving Thread.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘BPS htacess rule sets’ is closed to new replies.