Title: JonLPD's Replies | WordPress.org --- # JonLPD [ ](https://wordpress.org/support/users/jonlpd/) * [Profile](https://wordpress.org/support/users/jonlpd/) * [Topics Started](https://wordpress.org/support/users/jonlpd/topics/) * [Replies Created](https://wordpress.org/support/users/jonlpd/replies/) * [Reviews Written](https://wordpress.org/support/users/jonlpd/reviews/) * [Topics Replied To](https://wordpress.org/support/users/jonlpd/replied-to/) * [Engagements](https://wordpress.org/support/users/jonlpd/engagements/) * [Favorites](https://wordpress.org/support/users/jonlpd/favorites/) Search replies: ## Forum Replies Created Viewing 2 replies - 1 through 2 (of 2 total) * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Kadence Security – Password, Two Factor Authentication, and Brute Force Protection] Exclude subdirectory](https://wordpress.org/support/topic/exclude-subdirectory/) * Thread Starter [JonLPD](https://wordpress.org/support/users/jonlpd/) * (@jonlpd) * [10 years, 10 months ago](https://wordpress.org/support/topic/exclude-subdirectory/#post-6308528) * > then temporarily disable the Protect System Files setting in the System Tweaks > section on the iTSec plugin Settings page as indicated by Gerroald. * That worked and let me install. I’ll make sure it all works properly once i’ve turned this back on and let you know. * Thanks! * Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/) In reply to: [[Kadence Security – Password, Two Factor Authentication, and Brute Force Protection] Exclude subdirectory](https://wordpress.org/support/topic/exclude-subdirectory/) * Thread Starter [JonLPD](https://wordpress.org/support/users/jonlpd/) * (@jonlpd) * [10 years, 10 months ago](https://wordpress.org/support/topic/exclude-subdirectory/#post-6308525) * Hey, The 403 error im getting is: You don’t have permission to access /advocacyforyoungpeople/ wp-admin/install.php on this server. * I dont think there is a problem with the plugin. I just need to it ignore the subdirectory /advocacyforyoungpeople * Here is the iThemes code I’m using in the htaccess: * # BEGIN iThemes Security – Do not modify or remove this line # iThemes Security Config Details: 2 # Ban Hosts – Security > Settings > Banned Users SetEnvIF REMOTE_ADDR“ ^81\.45\.182\.213$” DenyAccess SetEnvIF X-FORWARDED-FOR “^81\.45\.182\.213$” DenyAccess SetEnvIF X-CLUSTER-CLIENT-IP “^81\.45\.182\.213$” DenyAccess * SetEnvIF REMOTE_ADDR “^42\.63\.209\.13$” DenyAccess SetEnvIF X-FORWARDED-FOR“ ^42\.63\.209\.13$” DenyAccess SetEnvIF X-CLUSTER-CLIENT-IP “^42\.63\.209\.13$” DenyAccess * Require all granted Require not env DenyAccess Require not ip 81.45.182.213 Require not ip 42.63.209.13 Order allow,deny Allow from all Deny from env=DenyAccess Deny from 81.45.182.213 Deny from 42.63.209.13 * # Enable the hide backend feature – Security > Settings > Hide Login Area > Hide Backend RewriteRule ^(/)?login/?$ /wp-login.php [QSA,L] * # Protect System Files – Security > Settings > System Tweaks > System Files Require all denied Order allow,deny Deny from all Require all denied Order allow,deny Deny from all Require all denied Order allow,deny Deny from all Require all denied Order allow,deny Deny from all Require all denied Order allow,deny Deny from all * # Disable XML-RPC – Security > Settings > WordPress Tweaks > XML-RPC Require all denied Order allow,deny Deny from all * # Disable Directory Browsing – Security > Settings > System Tweaks > Directory Browsing Options -Indexes * RewriteEngine On * # Protect System Files – Security > Settings > System Tweaks > System Files RewriteRule ^wp-admin/includes/ – [F] RewriteRule !^wp-includes/ – [S=3] RewriteCond%{ SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php RewriteRule ^wp-includes/[^/] +\.php$ – [F] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F] RewriteRule ^wp-includes/theme-compat/ – [F] * # Disable PHP in Uploads – Security > Settings > System Tweaks > Uploads RewriteRule ^wp\-content/uploads/.*\.(?:php[1-6]?|pht|phtml?)$ – [NC,F] * # Filter Request Methods – Security > Settings > System Tweaks > Request Methods RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC] RewriteRule ^.* – [F] * # Filter Suspicious Query Strings in the URL – Security > Settings > System Tweaks > Suspicious Query Strings RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR] RewriteCond%{ QUERY_STRING} etc/passwd [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [ NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING}(\ <|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA- Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [NC, OR] RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost |loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|concat|insert|union |declare).* [NC] RewriteCond %{QUERY_STRING} !^loggedout=true RewriteCond %{QUERY_STRING}! ^action=jetpack-sso RewriteCond %{QUERY_STRING} !^action=rp RewriteCond %{HTTP_COOKIE}! ^.*wordpress_logged_in_.*$ RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\. com(.*)$ RewriteRule ^.* – [F] * # Filter Non-English Characters – Security > Settings > System Tweaks > Non- English Characters RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F).* [ NC] RewriteRule ^.* – [F] * # Reduce Comment Spam – Security > Settings > System Tweaks > Comment Spam RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} /wp-comments-post\. php$ RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{HTTP_REFERER} !^https?://(([ ^/]+\.)?advocacymatters\.co\.uk|jetpack\.wordpress\.com/jetpack-comment)(/|$)[ NC] RewriteRule ^.* – [F] # END iThemes Security – Do not modify or remove this line Viewing 2 replies - 1 through 2 (of 2 total)