I've read a baker's dozen of similar questions and the common issues found therein have not helped me resolve this. I could really use some help figuring this out. What should I try next? Is there a way to troubleshoot why these rules are not being respected?
This is a Wordpress environment on an Inmotion Hosting vps with WHM/cPanel and Apache 2.4. Nginx is not being used to cache this account.
I need to deny access to PDFs in a sub-directory, specifically:
/public_html/wp-content/uploads/gravity_forms/fillablepdfs/
My web root .htaccess is as follows.
/public_html/.htaccess
AllowOverride All
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
# Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END Wordfence WAF
# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php74” package as the default “PHP” programming language.
<IfModule mime_module>
AddHandler application/x-httpd-ea-php74 .php .php7 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
I have tried many combinations in the web-root .htaccess and in the sub-directories in the path to the directory in question.
These did not work:
/public_html/wp-content/uploads/gravity_forms/fillablepdfs/.htaccess
Order deny,allow
Deny from all
Require all denied
<Files "*.pdf">
Order deny,allow
Deny from all
</Files>
<Files "*.pdf">
Require all denied
</Files>
After those failed to work I moved up the directories attempting the same until I reached the web-root .htaccess again, where I tried the following.
/public_html/.htaccess
AllowOverride All
. . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "*.pdf">
Require all denied
</Files>
# END fillable-pdfs
AllowOverride All
. . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "*.pdf">
Order deny,allow
Deny from all
</Files>
# END fillable-pdfs
AllowOverride All
. . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "*.pdf">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END fillable-pdfs
AllowOverride All
. . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "wp-content/uploads/gravity_forms/fillablepdfs/*.pdf">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END fillable-pdfs
AllowOverride All
. . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "./wp-content/uploads/gravity_forms/fillablepdfs/*.pdf">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END fillable-pdfs
None of these worked.
There are two other .htaccess files along the path. They are:
/public_html/wp-content/uploads/.htaccess
# BEGIN WebP Express
# The rules below have been dynamically created by WebP Express in accordance with the plugin settings
# DO NOT EDIT MANUALLY (unless you are prepared that your changes might be overridden by WebP Express)
# The following parameters have been in play to produce the rules:
#
# WebP Express options:
# - Operation mode: varied-image-responses
# - Redirection to existing webp: enabled
# - Redirection to converter: enabled
# - Redirection to converter to create missing webp files upon request for the webp: enabled
# - Destination folder: separate
# - Destination extension: append
# - Destination structure: image-roots
# - Image types: jpeg, png
# - Alter HTML enabled?: yes
#
# Wordpress/Server configuration:
# - Document root availablity: Available and its "realpath" is available too. Can be used for structuring cache dir.
#
# .htaccess capability test results:
# - mod_header working?: yes
# - pass variable from .htaccess to script through header working?: no
# - pass variable from .htaccess to script through environment variable working?: yes
#
# Role of the dir that this .htaccess is located in:
# - Is this .htaccess in a dir containing source images?: yes
# - Is this .htaccess in a dir containing webp images?: no
# Rules for handling requests for source images
# ---------------------------------------------
<IfModule mod_rewrite.c>
RewriteEngine On
# Escape hatch #1: Adding ?dontreplace to an url can be used to bypass redirection
RewriteCond %{QUERY_STRING} dontreplace$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule . - [L]
# Escape hatch #2: Placing an empty file in the same folder as the jpeg/png which has same file name, but ".dontreplace" appended will bypass redirection
RewriteCond %{REQUEST_FILENAME} (?i)(.*)(\.jpe?g|\.png)$
RewriteCond %1%2\.dontreplace -f
RewriteRule . - [L]
# Deprecated escape hatch: Adding ?original to an url can be used to bypass redirection
RewriteCond %{QUERY_STRING} original$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule . - [L]
# Deprecated escape hatch: Placing an empty file in the same folder as the jpeg/png which has same file name, but ".do-not-convert" appended will bypass redirection
RewriteCond %{REQUEST_FILENAME} (?i)(.*)(\.jpe?g|\.png)$
RewriteCond %1%2\.do-not-convert -f
RewriteRule . - [L]
# Avoid redirecting to webp files that are bigger than the original
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} (?i)(/home/***/public_html/wp-content/uploads/)(.*)(\.jpe?g|\.png)$
RewriteCond /home/***/public_html/wp-content/webp-express/webp-images-bigger-than-source/uploads/%2%3.webp -f
RewriteRule . - [L]
# Redirect to existing converted image in cache-dir (if browser supports webp)
RewriteCond %{HTTP_ACCEPT} image/webp
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} (?i)(/home/***/public_html/wp-content/uploads/)(.*)(\.jpe?g|\.png)$
RewriteCond /home/***/public_html/wp-content/webp-express/webp-images/uploads/%2%3.webp -f
RewriteRule (?i)(.*)(\.jpe?g|\.png)$ /wp-content/webp-express/webp-images/uploads/%2%3\.webp [T=image/webp,E=EXISTING:1,E=ADDVARY:1,L]
# Redirect images to webp-on-demand.php (if browser supports webp)
RewriteCond %{HTTP_ACCEPT} image/webp
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} (?i)(.*)(\.jpe?g|\.png)$
RewriteRule (?i).*$ /wp-content/plugins/webp-express/wod/webp-on-demand.php [E=WE_WP_CONTENT_REL_TO_WE_PLUGIN_DIR:../../,E=WE_SOURCE_REL_HTACCESS:$0,E=WE_HTACCESS_ID:uploads,NC,L]
# Make sure that browsers which does not support webp also gets the Vary:Accept header
# when requesting images that would be redirected to webp on browsers that does.
<IfModule mod_headers.c>
<FilesMatch "(?i)\.(jpe?g|png)$">
Header append "Vary" "Accept"
</FilesMatch>
</IfModule>
</IfModule>
# END WebP Express
/public_html/wp-content/uploads/gravity_forms/.htaccess
# BEGIN Gravity Forms
# The directives (lines) between "BEGIN Gravity Forms" and "END Gravity Forms" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
# Disable parsing of PHP for some server configurations. This file may be removed or modified on certain server configurations by using by the gform_upload_root_htaccess_rules filter. Please consult your system administrator before removing this file.
<Files *>
SetHandler none
SetHandler default-handler
Options -ExecCGI
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
</Files>
<IfModule mod_php5.c>
php_flag engine off
</IfModule>
<IfModule headers_module>
Header set X-Robots-Tag "noindex"
</IfModule>
# END Gravity Forms
Nginx was configured to bypass Apache to "Accelerate static content".
Disabling this allows .htaccess files to function on .txt, .pdf, etc...
Related
I have a lot of images in my WordPress uploads folder. Most of these images display just fine. However, any images that have URL encoded characters in their filenames (e.g., %22 instead of ") return a 404 when I try to access them via a web browser. I've verified that those image files exist on the server by connecting via FTP, downloading one of the offending images, and opening it on my computer.
I imagine this could be a .htaccess issue, but .htaccess is inscrutable to me. Here's the .htaccess in the root of my site:
# BEGIN rlrssslReallySimpleSSL rsssl_version[3.3.5]
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
# END rlrssslReallySimpleSSL
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
# Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END Wordfence WAF
Here's the .htaccess file in my /wp-content/uploads/ folder:
# BEGIN Wordfence code execution protection
<IfModule mod_php5.c>
php_flag engine 0
</IfModule>
<IfModule mod_php7.c>
php_flag engine 0
</IfModule>
<IfModule mod_php.c>
php_flag engine 0
</IfModule>
AddHandler cgi-script .php .phtml .php3 .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
# END Wordfence code execution protection
There are no other .htaccess files along the path to my images. I feel like I'm going crazy, but I'm likely missing something obvious.
This would seem to be a URL encoding issue on the initial HTTP request from the client, not related to your .htaccess file. If the actual filenames contain %22 then that needs to be URL encoded as %2522 (ie. the % in %22 needs to also be %-encoded) in the request, otherwise, it's going to look for a file containing ", not %22 (when the requested URL is decoded).
This isn't a problem with your .htaccess file, although you could potentially resolve this with the help of .htaccess (to manually URL encode these requests), but only if you are unable to "fix" the requested URLs in the HTML source. Fixing these URLs at source would be the preferred solution.
Needless to say, avoiding special characters in the filename in the first place (ie. sanitizing uploaded filenames) would be preferred. The double quote (") is an invalid char in Windows OS filenames, so that may be why it's remained %-encoded in the filename? But otherwise, %-encoded chars have no place in filenames, since this is a URL encoding scheme.
I have wordpress 5.6 installed on Directadmin. I have several folders with other CMS installed, like joomla. today I noticed that I can't login to subfolder CMS eg. mysite.com/joomla.
after some hours of searching, I found that in ALL my subfolders there is a .htaccess file with the following code:
<FilesMatch ".(phtml|php|PhP|php5|suspected)$">
Order Allow,Deny
allow from all
in subfolders my main htaccess files were removed.
in the main directory, public_html, my main .htaccess was changed to .htaccess.bk and there was a newly generated .htaccess file with the following code inside:
<FilesMatch ".(phtml|php|PhP|php5|suspected)$">
Order Allow,Deny
Deny from all
</FilesMatch>
<FilesMatch "(index).php$">
Order Allow,Deny
Allow from all
</FilesMatch>
<FilesMatch "(wp-load).php$">
Order Allow,Deny
Allow from all
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>
I don't understand why it has happened. Is it a kind of hacking? I haven't installed any plugin lately. Can anyone help please?
I'm currently using the WP htaccess Control plugin for my WordPress website and I would like to make a modification to its code. Presently, each page is accessible via multiple url structures. For example, site.com/page/ is accessible as is site.com/page
I would like to setup the htaccess whereas the non trailing slash redirects to the trailing slash, for every page of the site.
I believe I have the code, but I've seen a couple different variations. I want to make sure I implement the right one, plus I'm not exactly sure how it should be done with this particular plugin.
Do I just add the additional lines to the "custom" section? To my understanding it has to be placed with the rewrite rules, but the custom code I can input only goes to the top.
Currently, the following line is in "custom htaccess":
php_value memory_limit 96M
the entire file is:
# BEGIN WordPress
# WPhtc: Begin Custom htaccess
php_value memory_limit 96M
# WPhtc: End Custom htaccess
# WPhtC: Disable ServerSignature on generated error pages
ServerSignature Off
# WPhtC: Protect WP-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
# WPhtC: Protect .htaccess file
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
</files>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
thank you
I have implemented my website in symfony2.4, but my blog in configured and installed in wordpress instance.
my wesite is under /var/www/html/website/ and the DocumentRoot is in httpd.cont is set to /var/www/html/website/web folder of symfony.
my wordpress is installed in /var/www/html/blog - I have created a soft link of the same in Symfony's web folder. But the wordpress site does not seem to work.
is there anything else that i need to configure?
my .htaccess file from sumfony's web folder looks something like this:
enter code here
<IfModule mod_rewrite.c>
RewriteEngine On
# Determine the RewriteBase automatically and set it as environment variable.
# If you are using Apache aliases to do mass virtual hosting or installed the
# project in a subdirectory, the base path will be prepended to allow proper
# resolution of the app.php file and to redirect to the correct URI. It will
# work in environments without path prefix as well, providing a safe, one-size
# fits all solution. But as you do not need it in this case, you can comment
# the following 2 lines to eliminate the overhead.
# RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
# RewriteRule ^(.*) - [E=BASE:%1]
RewriteCond %{HTTP_HOST} ^mywebsite\.com$
RewriteRule ^(.*) http://www.mywebsite.com/$1 [R=301,L]
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !/blog
RewriteRule ^(.*)$ app.php [QSA,L]
# Redirect to URI without front controller to prevent duplicate content
# (with and without `/app.php`). Only do this redirect on the initial
# rewrite by Apache and not on subsequent cycles. Otherwise we would get an
# endless redirect loop (request -> rewrite to front controller ->
# redirect -> request -> ...).
# So in case you get a "too many redirects" error or you always get redirected
# to the start page because your Apache does not expose the REDIRECT_STATUS
# environment variable, you have 2 choices:
# - disable this feature by commenting the following 2 lines or
# - use Apache >= 2.3.9 and replace all L flags by END flags and remove the
# following RewriteCond (best solution)
#RewriteCond %{ENV:REDIRECT_STATUS} ^$
#RewriteRule ^app\.php(/(.*)|$) %{ENV:BASE}/$2 [R=301,L]
# If the requested filename exists, simply serve it.
# We only want to let Apache serve files and not directories.
#RewriteCond %{REQUEST_FILENAME} -f
#RewriteRule .? - [L]
# Rewrite all other queries to the front controller.
#RewriteRule .? %{ENV:BASE}/app.php [L]
</IfModule>
<IfModule !mod_rewrite.c>
<IfModule mod_alias.c>
# When mod_rewrite is not available, we instruct a temporary redirect of
# the start page to the front controller explicitly so that the website
# and the generated links can still be used.
RedirectMatch 302 ^/$ /app.php/
# RedirectTemp cannot be used instead
</IfModule>
</IfModule>
I've managed to make the two cohabit with this .htaccess
<VirtualHost *:80>
ServerName yourdomain.com
#path to symfony
DocumentRoot "path/web"
AddDefaultCharset utf-8
DirectoryIndex app.php
<Directory "/path/web">
RewriteEngine On
Options +MultiViews
<IfVersion >= 2.3>
Require all granted
</IfVersion>
AllowOverride All
Allow from All
</Directory>
#path to blog
Alias /blog "/otherpath/blog"
<Directory /otherpath/blog>
DirectoryIndex index.php
RewriteEngine On
Options +MultiViews
<IfVersion >= 2.3>
Require all granted
</IfVersion>
AllowOverride All
Allow from All
</Directory>
</VirtualHost>
I have a Wordpress multisite installed, and would like to understand how the subdomains actually are managed, ie how does my wordpress multisite knows where to find the files/data when a browser request URL user1.domain.com ?
I checked the DNS A record and see only the wild card.
I checked the .htaccess, and it looks as follows:
RewriteEngine On
RewriteBase /
# Protect the htaccess file
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>
# Protect wpconfig.php
<Files wp-config.php>
Order Allow,Deny
Deny from all
</Files>
# Disable directory browsing
Options All -Indexes
RewriteRule ^index\.php$ - [L]
# uploaded files
RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule . index.php [L]
so I think the .htaccess does not manage the subdomain, or does it?
so then, how does my wordpress multisite knows where to find the files/data when a browser request URL user1.domain.com ?