I have few questions regarding the wp-config.php file in Wordpress. I moved the file from the wordpress installation directory, above the www directory and inside one of the home folders. I followed this tutorial. In the main wordpress directory i added another wp-config.php file with the following include path:
<?php
include('/home/www/web55438/files/wp-config.php');
?>
Inside the files folder i also added the following .htaccess file.
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
#Prevend directory browsing
Options All -Indexes
#Protect files from displaying
<Files wp-config.php>
order allow,deny
deny from all
</Files>
#Protect htaccess file
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
My questions are: Is this a secure way for handling the wp-config.php file with an absolute path? Is the .htaccess file configured properly? And what would you change for better wordpress security?
Thanks
<Files wp-config.php>
order allow,deny
deny from all
</Files>
change it to
<Files wp-config.php>
order deny,allow
deny from all
</Files>
This way, you are denying access to wp-config.php
As you are moving your config file from default location to location above your root of website. Then this is proper way to include that file
Regarding adding more security, follow stuff posted by Vhortex in one of the questions.
Related
I've read a baker's dozen of similar questions and the common issues found therein have not helped me resolve this. I could really use some help figuring this out. What should I try next? Is there a way to troubleshoot why these rules are not being respected?
This is a Wordpress environment on an Inmotion Hosting vps with WHM/cPanel and Apache 2.4. Nginx is not being used to cache this account.
I need to deny access to PDFs in a sub-directory, specifically:
/public_html/wp-content/uploads/gravity_forms/fillablepdfs/
My web root .htaccess is as follows.
/public_html/.htaccess
AllowOverride All
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
# Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END Wordfence WAF
# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php74” package as the default “PHP” programming language.
<IfModule mime_module>
AddHandler application/x-httpd-ea-php74 .php .php7 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
I have tried many combinations in the web-root .htaccess and in the sub-directories in the path to the directory in question.
These did not work:
/public_html/wp-content/uploads/gravity_forms/fillablepdfs/.htaccess
Order deny,allow
Deny from all
Require all denied
<Files "*.pdf">
Order deny,allow
Deny from all
</Files>
<Files "*.pdf">
Require all denied
</Files>
After those failed to work I moved up the directories attempting the same until I reached the web-root .htaccess again, where I tried the following.
/public_html/.htaccess
AllowOverride All
. . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "*.pdf">
Require all denied
</Files>
# END fillable-pdfs
AllowOverride All
. . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "*.pdf">
Order deny,allow
Deny from all
</Files>
# END fillable-pdfs
AllowOverride All
. . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "*.pdf">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END fillable-pdfs
AllowOverride All
. . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "wp-content/uploads/gravity_forms/fillablepdfs/*.pdf">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END fillable-pdfs
AllowOverride All
. . .
# BEGIN fillable-pdfs
# Restrict access to generated pdfs directory.
<Files "./wp-content/uploads/gravity_forms/fillablepdfs/*.pdf">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END fillable-pdfs
None of these worked.
There are two other .htaccess files along the path. They are:
/public_html/wp-content/uploads/.htaccess
# BEGIN WebP Express
# The rules below have been dynamically created by WebP Express in accordance with the plugin settings
# DO NOT EDIT MANUALLY (unless you are prepared that your changes might be overridden by WebP Express)
# The following parameters have been in play to produce the rules:
#
# WebP Express options:
# - Operation mode: varied-image-responses
# - Redirection to existing webp: enabled
# - Redirection to converter: enabled
# - Redirection to converter to create missing webp files upon request for the webp: enabled
# - Destination folder: separate
# - Destination extension: append
# - Destination structure: image-roots
# - Image types: jpeg, png
# - Alter HTML enabled?: yes
#
# Wordpress/Server configuration:
# - Document root availablity: Available and its "realpath" is available too. Can be used for structuring cache dir.
#
# .htaccess capability test results:
# - mod_header working?: yes
# - pass variable from .htaccess to script through header working?: no
# - pass variable from .htaccess to script through environment variable working?: yes
#
# Role of the dir that this .htaccess is located in:
# - Is this .htaccess in a dir containing source images?: yes
# - Is this .htaccess in a dir containing webp images?: no
# Rules for handling requests for source images
# ---------------------------------------------
<IfModule mod_rewrite.c>
RewriteEngine On
# Escape hatch #1: Adding ?dontreplace to an url can be used to bypass redirection
RewriteCond %{QUERY_STRING} dontreplace$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule . - [L]
# Escape hatch #2: Placing an empty file in the same folder as the jpeg/png which has same file name, but ".dontreplace" appended will bypass redirection
RewriteCond %{REQUEST_FILENAME} (?i)(.*)(\.jpe?g|\.png)$
RewriteCond %1%2\.dontreplace -f
RewriteRule . - [L]
# Deprecated escape hatch: Adding ?original to an url can be used to bypass redirection
RewriteCond %{QUERY_STRING} original$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule . - [L]
# Deprecated escape hatch: Placing an empty file in the same folder as the jpeg/png which has same file name, but ".do-not-convert" appended will bypass redirection
RewriteCond %{REQUEST_FILENAME} (?i)(.*)(\.jpe?g|\.png)$
RewriteCond %1%2\.do-not-convert -f
RewriteRule . - [L]
# Avoid redirecting to webp files that are bigger than the original
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} (?i)(/home/***/public_html/wp-content/uploads/)(.*)(\.jpe?g|\.png)$
RewriteCond /home/***/public_html/wp-content/webp-express/webp-images-bigger-than-source/uploads/%2%3.webp -f
RewriteRule . - [L]
# Redirect to existing converted image in cache-dir (if browser supports webp)
RewriteCond %{HTTP_ACCEPT} image/webp
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} (?i)(/home/***/public_html/wp-content/uploads/)(.*)(\.jpe?g|\.png)$
RewriteCond /home/***/public_html/wp-content/webp-express/webp-images/uploads/%2%3.webp -f
RewriteRule (?i)(.*)(\.jpe?g|\.png)$ /wp-content/webp-express/webp-images/uploads/%2%3\.webp [T=image/webp,E=EXISTING:1,E=ADDVARY:1,L]
# Redirect images to webp-on-demand.php (if browser supports webp)
RewriteCond %{HTTP_ACCEPT} image/webp
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} (?i)(.*)(\.jpe?g|\.png)$
RewriteRule (?i).*$ /wp-content/plugins/webp-express/wod/webp-on-demand.php [E=WE_WP_CONTENT_REL_TO_WE_PLUGIN_DIR:../../,E=WE_SOURCE_REL_HTACCESS:$0,E=WE_HTACCESS_ID:uploads,NC,L]
# Make sure that browsers which does not support webp also gets the Vary:Accept header
# when requesting images that would be redirected to webp on browsers that does.
<IfModule mod_headers.c>
<FilesMatch "(?i)\.(jpe?g|png)$">
Header append "Vary" "Accept"
</FilesMatch>
</IfModule>
</IfModule>
# END WebP Express
/public_html/wp-content/uploads/gravity_forms/.htaccess
# BEGIN Gravity Forms
# The directives (lines) between "BEGIN Gravity Forms" and "END Gravity Forms" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
# Disable parsing of PHP for some server configurations. This file may be removed or modified on certain server configurations by using by the gform_upload_root_htaccess_rules filter. Please consult your system administrator before removing this file.
<Files *>
SetHandler none
SetHandler default-handler
Options -ExecCGI
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
</Files>
<IfModule mod_php5.c>
php_flag engine off
</IfModule>
<IfModule headers_module>
Header set X-Robots-Tag "noindex"
</IfModule>
# END Gravity Forms
Nginx was configured to bypass Apache to "Accelerate static content".
Disabling this allows .htaccess files to function on .txt, .pdf, etc...
I have been trying to edit the rules for my Wordpress site through the .htaccess file. I've tried several different options with no luck. My goal is to make the wp-login.php page accessible only to a certain list of IP addresses. Each method I've tried results in no change, meaning even if I put in a bogus IP address as the only one to be allowed access, I can still get to the page from any device.
These are the methods I have tried:
Adding this to the root .htaccess file
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx
</Files>
And this to the wp-admin .htaccess file
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx
I've also tried this in the wp-admin .htaccess file:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist IP address
allow from xx.xx.xx.xxx
</LIMIT>
This option in the root .htaccess file:
# BEGIN wp-admin restriction based on IP address
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.1$
RewriteRule ^(.*)$ - [R=403,L]
# END IP restriction
I'm not very familiar with .htaccess rules. Each of these options was tried at the beginning and the end of the files. The only other code in the file is:
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Any ideas on what I am doing incorrectly?
For anyone else that ran into this issue. I was never able to get the .htaccess file to work. I tried adding the access rules to the web.config file and had some issues there as well, however I eventually found a way to add access rules through the IIS Manager using IP Address and Domain Restrictions. I did have to install that feature as it wasn't in my list of options right away however it worked right away and I noticed that after installing it, making changes to my web.config file also started working.
I am hoping you can help, I have been having real trouble getting a .htaccess file for work correctly.
I am trying to block of all access to files and folders within the wp-content/uploads/ folder
i have resorted to placing a .htaccess file in each subdirectory with:
deny from all
This works OK if i FTP a file up and try to access it, the trouble is if i use wordpress to upload a file (in to the same folder) this file is accessible
any ideas on whats going on and a solution?
thanks in advance for any help
Try to write some rule in .htaccess file something like.
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
This will allow you to block off all access to files and folders within the wp-content/uploads/ folder.
I had a similar issue. Once I updated wildcard to include .html (root htaccess), my deny all in the subdirectory worked just fine.
From this:
<Files *>
order deny,allow
deny from env=notallowed
allow from env=allowsome
</Files>
To this:
order deny,allow
deny from env=notallowed
allow from env=allowsome
I'm currently using the WP htaccess Control plugin for my WordPress website and I would like to make a modification to its code. Presently, each page is accessible via multiple url structures. For example, site.com/page/ is accessible as is site.com/page
I would like to setup the htaccess whereas the non trailing slash redirects to the trailing slash, for every page of the site.
I believe I have the code, but I've seen a couple different variations. I want to make sure I implement the right one, plus I'm not exactly sure how it should be done with this particular plugin.
Do I just add the additional lines to the "custom" section? To my understanding it has to be placed with the rewrite rules, but the custom code I can input only goes to the top.
Currently, the following line is in "custom htaccess":
php_value memory_limit 96M
the entire file is:
# BEGIN WordPress
# WPhtc: Begin Custom htaccess
php_value memory_limit 96M
# WPhtc: End Custom htaccess
# WPhtC: Disable ServerSignature on generated error pages
ServerSignature Off
# WPhtC: Protect WP-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
# WPhtC: Protect .htaccess file
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
</files>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
thank you
I have a Wordpress multisite installed, and would like to understand how the subdomains actually are managed, ie how does my wordpress multisite knows where to find the files/data when a browser request URL user1.domain.com ?
I checked the DNS A record and see only the wild card.
I checked the .htaccess, and it looks as follows:
RewriteEngine On
RewriteBase /
# Protect the htaccess file
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>
# Protect wpconfig.php
<Files wp-config.php>
Order Allow,Deny
Deny from all
</Files>
# Disable directory browsing
Options All -Indexes
RewriteRule ^index\.php$ - [L]
# uploaded files
RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule . index.php [L]
so I think the .htaccess does not manage the subdomain, or does it?
so then, how does my wordpress multisite knows where to find the files/data when a browser request URL user1.domain.com ?