• Resolved john53

    (@john53)


    Hi
    Could you please let me know the code to use in htninja to block any request containing “.php” in the URL Path?

    Our website is not a blog it contains static content apart from the contact form on our contact us page.

    Thank you very much.

    Best regards

    John

    The page I need help with: [log in to see the link]

Viewing 10 replies - 1 through 10 (of 10 total)
  • Plugin Author nintechnet

    (@nintechnet)

    This code would block ‘.php’ in all URL:

    <?php
    if ( strpos( $_SERVER['REQUEST_URI'], '.php' ) !== FALSE ) {
       return 'BLOCK';
    }
    
    Thread Starter john53

    (@john53)

    Thank you very much, I have now purchased the wp plus version.

    Can I just add .php to the url address blacklist in access control?

    Thread Starter john53

    (@john53)

    Also can I use * as a wildcard in the ip address and url address entries for access control?

    Thanks

    Plugin Author nintechnet

    (@nintechnet)

    If you use the “Access Control > URL address” blacklist, it will apply to $_SERVER['SCRIPT_NAME'] and $_SERVER['REQUEST_URI']. That means that on a default WordPress site, all traffic is blocked. For instance, when someone accesses http://example.com/, WordPress loads the index.php, which will match the $_SERVER['SCRIPT_NAME'] variable.

    If you use my sample code with the .htninja, only $_SERVER['REQUEST_URI'] will be blocked. Someone accessing http://example.com/ won’t be blocked.

    You cannot use wildcard in the URL access control. Regarding IP addresses, you can use CIDR (e.g. 66.155.0.0/17, 2c0f:f248::/32) or AS numbers.

    • This reply was modified 2 years, 8 months ago by nintechnet.
    Thread Starter john53

    (@john53)

    Thank you.

    Thread Starter john53

    (@john53)

    Hi
    I added the code to htninja without the “<?php” as this is already present with some code. It works well.

    It doesn’t lock me out of the website. The only slight downside is that it does lock me out of my admin.

    As whitelisting won’t work since this happens before wordpress loads I found a workaround. I go on cpanel file manager cut the code and save htninja then when I have finished just paste and save htninja again.

    I think well worth the effort for the substantial hardening of security.

    Thank you very much for your help

    Best regards
    John

    Thread Starter john53

    (@john53)

    Hi
    Just found some requests that got past htninja.

    They are all either GET /wp-content/index.php OR GET /index.php

    The ninjafirewall blocked them and these showed up on the log.

    Will the code on htninja not block these particular requests?

    Best regards

    John

    Thread Starter john53

    (@john53)

    At the moment I am blocking the requests by blacklisting the ip addresses.

    Could I use the “User Input” Blocked inputs? :-
    GET:index
    GET:index.php

    Thanks

    Plugin Author nintechnet

    (@nintechnet)

    If you block $_SERVER['REQUEST_URI'] in the .htninja, that won’t block someone accessing / and GET /wp-content/ because there’s no index.php string in the REQUEST_URI, although the index.php will be served.

    The Access Control will block it because because it applies to $_SERVER['SCRIPT_NAME'] in addition to $_SERVER['REQUEST_URI'].

    If you want the .htninja to block it, you need to replace $_SERVER['REQUEST_URI'] with $_SERVER['SCRIPT_NAME']. That will block GET /wp-content/ and GET /wp-content/index.php for instance.

    User input won’t work, as it is for input only, not script.

    Thread Starter john53

    (@john53)

    Thanks for your help.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘How to Block URL Path containing “.php”’ is closed to new replies.