Develop Reference

block access to directories, subdirectories and files in .htaccess that is NOT specified on the list

OK, so pls don't kill me, I'm not an expert, yes I have read loads of comments and forums and not sure it would be possible.
I have a WordPress site that is running on litespeed. I have wordfence and ithemes installed and my firewall is turned on, yet somehow a hacker created a .tmp folder with fake png inside containing executable code. The code could not run because of wordfence, but I would like to prevent them from creating the .tmp folder in the first place.
That lead me thinking, is is possible, in my public_html .htaccess, to list my files and folders that in the root directory, and to allow, and to deny all from everything not on the list. Theoretically then they should not be able to create any new file or folder and if they do, it would deny?
Example
Folders on whitelist:
wp-includes
admin
etc.
Files on whitelist:
index.php
wp-config.php
Would look like this
# Deny access to files & subdirectories
Order Allow,Deny
deny from all
<Files *.*>
deny from all
</Files>
# Allow access to files
<Files "index.php,wp-config.php">
Allow from all
Satisfy Any
</Files>
# Allow access to sub directories
<Files wp-includes,admin/*>
Allow from all
Satisfy Any
</Files>
As per #RavinderSingh13's request:
Allow access the these subfolders only:
wp-admin, wp-content, wp-includes
Allow access the these files only:
.htaccess, index.html, index.php, license.txt, readme.html, wp-activate.php, wp-blog-header.php, wp-comments-post.php, wp-config.php, wp-config-sample.php, wp-cron.php, wp-links-opml.php, wp-load.php, wp-login.php, wp-mail.php, wp-settings.php, wp-signup.php, wp-trackback.php, xmlrpc.php
Update:
This will not work as it will not deny sever side execution. A php script can be made to delete files that are not on the whitelist, and then run with a cron every 5 min. Not ideal but it works.

WordPress single IP allow wp-admin access

In WordPress my network team restrict wpadmin folder with single ip. So my admin-ajax.php ajax call are 403 forbidden for end user. Is there a solution to allow everyone to access this?
Step 1: restrict Wp-admin folder file wise, and allow admin-ajax file
Step 2: Any another method is available to ajax call without adamin-ajax file
Are any of these possible?

If you want to allow access folder by ip, then please add the below code in .htaccess file.
<Directory /path/to/the/folder>
Options +Indexes
IndexOptions +FancyIndexing
Order deny,allow
Deny from all
Allow from X.X.X.X
</Directory>
For specific File then add the below code
<Files file-name.php>
Order deny,allow
Deny from all
Allow from X.X.X.X
</Files>

Apache 2.4 Directory access control for mod_auth_form

I need some help with this simple directory access rules - sorry I just started playing with Apache 2.4 and not done this before.
I have configured Apache 2.4 to a stage where I can see a login for for protected resources and once I enter the user/pass I get access to the protected resourced.
Now I want to do the following which I am not sure how I can get this done.
Web root is set to /var/www
/var/www/login - anyone can access, no auth required as this folder contains login.html and logout.html. ( I got this working)
/var/www - all other contents in the root of my app can only be accessed after authentication. This is the part I don't know how to setup.
My vhost conf looks like this.
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin webmaster#dummy-host2.example.com
DocumentRoot "/var/www"
ServerName auth-test.ml.com
ErrorLog "logs/test-error_log"
CustomLog "logs/test-access_log" common
<Directory "/var/www">
AuthFormProvider file
AuthType form
AuthName "Reserved Area"
Session On
SessionCookieName session path=/
require valid-user
# This is the login page
ErrorDocument 401 /login/index.html
# This is the file containing users login data
AuthUserFile /usr/local/apache2/auth/.htpasswd
</Directory>
<Directory /var/www/login>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
AT the moment when I access the app like http://example.com I expect to see the login.html page returned but I get the following error message:
Unauthorized
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
Additionally, a 401 Unauthorized error was encountered while trying to use an ErrorDocument to handle the request.
How can I make this work?

Figured it out. It was as simple as using Directory to first deny access to all to the root document and only allow valid users.
Using another Directory to open access to all to the auth folder.

Web, SQLite database downloads when url is visited?

I have an sqlite database located at:
http://example.com/db/test.db
When visited in a browser, the database is downloaded.
How can i prevent this as i do not want others to be able to get ahold of it?

Something like a .htaccess file, along the lines of;
<Files ~ "\.(htaccess|db)$">
order allow,deny
deny from all
</Files>

.htacces is being ignored in wp-admin folder

I want to add protection to my wordpress site by specifing what ip addresses can access the admin dashboard. I've created a .htaccess file in /wp-admin folder and added the code. However it seems that the .htaccess file is being completely ignored. Does anybody know why this is happening.
Code:
order deny,allow
allow from 000.000.000.000 (my ip address)
deny from all

you would need to create a new .htaccess file in your text editor and upload to your wp-admin folder.
For more details please refer the link:
http://codex.wordpress.org/Brute_Force_Attacks#Limit_Access_to_wp-admin_by_IP
Copy code
order deny,allow
allow from 202.090.21.1 (replace with your IP address)
deny from all