iThemes Security (formerly Better WP Security)
git files not blocked by htaccess rules (3 posts)

  1. Ian Dunn
    Posted 2 years ago #

    The last section of .htaccess rules generated by BWPS has a rule that should block access to Git files, but it's not working for me. I can open https://example.com/.gitignore or https://example.com/.git/config in my browser and see the contents of the files.

    RewriteCond %{QUERY_STRING} ^.*(bash|git|hg|log|svn|swp|cvs) [NC,OR]

    I tried the updated rule from trunk, and it doesn't block them either.

    RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR]


  2. MickeyRoush
    Posted 2 years ago #

    You can block all hidden files like so:

    RewriteRule ^\..+$ - [F]


    RewriteRule ^\. - [F]

    NOTE: By hidden files I mean all files that begin with a literal period.

  3. Ian Dunn
    Posted 2 years ago #

    I know, I've got an extra rule setup to block Git files, but I wanted to let BWPS's developer know that there's a bug so he can fix it. A lot of people will assume that Git/SVN/logs/etc are being blocked because BWPS claims to be doing it, and so they won't setup their own rules and they'll be vulnerable.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic