.htaccess fix for Apache 2.2 and 2.4

Hey guys,

First off, great plugin! I have an improvement request for future versions.

The .htacess file you place in the /wp-content/ folder is only Apache 2.2 compatible:

<Files *.php>
deny from all
</Files>

I know you’re aware because you have the following note in the admin:

Note: Apache/2.4 introduced new directives to configure the access level of certain resources in the server, for instance the rules applied to harden these directories will not work and will probably cause issues. We will not fix this because there is no accurate way to determine the exact version number of Apache installed in this server considering some security measures applied to its configuration that will prevent the version number to be readable by PHP, proceed with caution.

There is a fix though. You can use IfModule to test which one is installed.

Something like this would work for both 2.2 and 2.4:

<Files ~ "^(.+)\.php$">
	# Apache 2.2
	<IfModule !mod_authz_core.c>
		Deny from all
	</IfModule>

	# Apache 2.4
	<IfModule mod_authz_core.c>
		Require all denied
	</IfModule>
</Files>

I know the the preferred use for regex is FilesMatch over Files, but I chose Files because this particular implementation is more compatible with certain branches of Apache, and should give you the most compatibility overall.

Hopefully you can implement this in the next version to make your .htaccess files a bit more universal. Thanks!

– Scott

https://wordpress.org/plugins/sucuri-scanner/