Support » Fixing WordPress » protecting wordpress with htaccess

  • This is the standard wordpress htaccess file:

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    As I understand it, it rewrites requests for non-existent files or directories to .index.php.

    So how does this enhance security?

    Why not just use:
    ErrorDocument 404 /404.php ?

    As for something that REALLY helps protect my blog, I came across this snippet on

    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]

    It claims to protect your wp blog from scripts injection and unwanted modification of _REQUEST and/or GLOBALS. But the author failed to provide any commentary or explanation.

    Can anyone offer any insight? Is the Options +FollowSymLinks directive necessary for this code to run?

Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘protecting wordpress with htaccess’ is closed to new replies.