Compatability with current .htaccess rules

Resolved frenchomatic
(@frenchomatic)

9 years, 5 months ago
Hi,

I have a quick technical question and looking for advice. I have installed your plugin and it appears to be doing a fine job.It is looking like a 5 star review and then most probably the paid version.

I am on shared hosting and cloudflare so I put the special ninja file up in home/username/ . I also run the most upto date WP and use the login rename plugin. All appears to be running fine.

However, I wanted to know if I can now remove this from my .htaccess

<FilesMatch “^.*(error_log|wp-login\.php|\.sdfe|wp-config\.php|xmlrpc\.php|php.ini|\.[hH][tT][aApP].*)$”>
Order deny,allow
Deny from all
</FilesMatch>

RedirectMatch 403 (.*)wp-login\.php$

<IfModule mod_rewrite.c>
RewriteEngine on
Options +FollowSymLinks
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
</IfModule>

# directory browsing
Options All -Indexes

I also use another .htaccess in wp-content and wp-includes

Order deny,allow
Deny from all
<Files ~ “.(xml|css||woff|svg|ttf||pdf|ico|jpe?g|png|gif|js)$”>
Allow from all
</Files>

Basically, I am not sure if I am adding to the security of your firewall or detracting from it? Finally, I also use the Block Bad Queries (BBQ) plugin – do I still need that?

I was hacked badly and I don’t want it to happen again.
- This topic was modified 9 years, 5 months ago by frenchomatic.

Viewing 2 replies - 1 through 2 (of 2 total)

Plugin Author nintechnet
(@nintechnet)

9 years, 5 months ago
Hi,

You can consider editing some parts of the .htaccess code that is useless:
<FilesMatch "^.*(error_log|wp-login\.php|\.sdfe|wp-config\.php|xmlrpc\.php|php.ini|\.[hH][tT][aApP].*)$">

Could be replaced with:
<FilesMatch "^.*(error_log|wp-login\.php|\.sdfe|wp-config\.php|xmlrpc\.php|php.ini)$">
No need to protect “.ht*” files, Apache will always refuse to serve them.

I would remove this code, because the wp-login.php is already protected by the previous rule:
RedirectMatch 403 (.*)wp-login\.php$

This one could be removed too, it does not make too much sense and can be easily bypassed:
```
IfModule mod_rewrite.c>
RewriteEngine on
Options +FollowSymLinks
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
</IfModule>
```
This one seems wrong because you have two consecutive “||” signs twice: after css and ttf:
<Files ~ ".(xml|css||woff|svg|ttf||pdf|ico|jpe?g|png|gif|js)$">

It’s up to you if you want to keep any other security plugins, in most cases it is not needed.
Thread Starter frenchomatic
(@frenchomatic)

9 years, 5 months ago

Many thanks for catching that || error. The plugin is really knocking them away on my sites. Never really realized how much traffic doing this I was getting.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Compatability with current .htaccess rules’ is closed to new replies.