protecting wordpress with htaccess (3 posts)

  1. deko
    Posted 3 years ago #

    This is the standard wordpress htaccess file:

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    As I understand it, it rewrites requests for non-existent files or directories to .index.php.

    So how does this enhance security?

    Why not just use:
    ErrorDocument 404 /404.php ?

    As for something that REALLY helps protect my blog, I came across this snippet on wprecipies.com:

    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]

    It claims to protect your wp blog from scripts injection and unwanted modification of _REQUEST and/or GLOBALS. But the author failed to provide any commentary or explanation.

    Can anyone offer any insight? Is the Options +FollowSymLinks directive necessary for this code to run?

  2. Jonas Grumby
    Posted 3 years ago #

    Why not just run a firewall instead?


  3. deko
    Posted 3 years ago #

    Thanks for the reply. The WordPress Firewall 2 plugin looks interesting, but I was more interested in how the default wordpress htaccess file is any better than using a simple ErrorDocument, and also thoughts on that htaccess file form wprecipies.com.

Topic Closed

This topic has been closed to new replies.

About this Topic