This code would block ‘.php’ in all URL:
<?php
if ( strpos( $_SERVER['REQUEST_URI'], '.php' ) !== FALSE ) {
return 'BLOCK';
}
Thread Starter
john53
(@john53)
Thank you very much, I have now purchased the wp plus version.
Can I just add .php to the url address blacklist in access control?
Thread Starter
john53
(@john53)
Also can I use * as a wildcard in the ip address and url address entries for access control?
Thanks
If you use the “Access Control > URL address” blacklist, it will apply to $_SERVER['SCRIPT_NAME']
and $_SERVER['REQUEST_URI']
. That means that on a default WordPress site, all traffic is blocked. For instance, when someone accesses http://example.com/, WordPress loads the index.php, which will match the $_SERVER['SCRIPT_NAME']
variable.
If you use my sample code with the .htninja, only $_SERVER['REQUEST_URI']
will be blocked. Someone accessing http://example.com/ won’t be blocked.
You cannot use wildcard in the URL access control. Regarding IP addresses, you can use CIDR (e.g. 66.155.0.0/17, 2c0f:f248::/32) or AS numbers.
-
This reply was modified 2 years, 8 months ago by
nintechnet.
Thread Starter
john53
(@john53)
Hi
I added the code to htninja without the “<?php” as this is already present with some code. It works well.
It doesn’t lock me out of the website. The only slight downside is that it does lock me out of my admin.
As whitelisting won’t work since this happens before wordpress loads I found a workaround. I go on cpanel file manager cut the code and save htninja then when I have finished just paste and save htninja again.
I think well worth the effort for the substantial hardening of security.
Thank you very much for your help
Best regards
John
Thread Starter
john53
(@john53)
Hi
Just found some requests that got past htninja.
They are all either GET /wp-content/index.php OR GET /index.php
The ninjafirewall blocked them and these showed up on the log.
Will the code on htninja not block these particular requests?
Best regards
John
Thread Starter
john53
(@john53)
At the moment I am blocking the requests by blacklisting the ip addresses.
Could I use the “User Input” Blocked inputs? :-
GET:index
GET:index.php
Thanks
If you block $_SERVER['REQUEST_URI']
in the .htninja, that won’t block someone accessing /
and GET /wp-content/
because there’s no index.php
string in the REQUEST_URI, although the index.php will be served.
The Access Control will block it because because it applies to $_SERVER['SCRIPT_NAME']
in addition to $_SERVER['REQUEST_URI']
.
If you want the .htninja to block it, you need to replace $_SERVER['REQUEST_URI']
with $_SERVER['SCRIPT_NAME']
. That will block GET /wp-content/
and GET /wp-content/index.php
for instance.
User input won’t work, as it is for input only, not script.