I have an sqlite database located at:
http://example.com/db/test.db
When visited in a browser, the database is downloaded.
How can i prevent this as i do not want others to be able to get ahold of it?
Something like a .htaccess file, along the lines of;
<Files ~ "\.(htaccess|db)$">
order allow,deny
deny from all
</Files>
Related
OK, so pls don't kill me, I'm not an expert, yes I have read loads of comments and forums and not sure it would be possible.
I have a WordPress site that is running on litespeed. I have wordfence and ithemes installed and my firewall is turned on, yet somehow a hacker created a .tmp folder with fake png inside containing executable code. The code could not run because of wordfence, but I would like to prevent them from creating the .tmp folder in the first place.
That lead me thinking, is is possible, in my public_html .htaccess, to list my files and folders that in the root directory, and to allow, and to deny all from everything not on the list. Theoretically then they should not be able to create any new file or folder and if they do, it would deny?
Example
Folders on whitelist:
wp-includes
admin
etc.
Files on whitelist:
index.php
wp-config.php
Would look like this
# Deny access to files & subdirectories
Order Allow,Deny
deny from all
<Files *.*>
deny from all
</Files>
# Allow access to files
<Files "index.php,wp-config.php">
Allow from all
Satisfy Any
</Files>
# Allow access to sub directories
<Files wp-includes,admin/*>
Allow from all
Satisfy Any
</Files>
As per #RavinderSingh13's request:
Allow access the these subfolders only:
wp-admin, wp-content, wp-includes
Allow access the these files only:
.htaccess, index.html, index.php, license.txt, readme.html, wp-activate.php, wp-blog-header.php, wp-comments-post.php, wp-config.php, wp-config-sample.php, wp-cron.php, wp-links-opml.php, wp-load.php, wp-login.php, wp-mail.php, wp-settings.php, wp-signup.php, wp-trackback.php, xmlrpc.php
Update:
This will not work as it will not deny sever side execution. A php script can be made to delete files that are not on the whitelist, and then run with a cron every 5 min. Not ideal but it works.
I am having an issue getting ProFTP permissions to "work".
I have a series of folders under /home and have chrooted all users except for one to their home directory - for example when user 12345 logs in then connect to / which is actually /home/12345
I would like ftpadm to be able to do anything but all other users only allow users to upload files and deny everything else including listing files so I added this to /etc/proftpd.conf and restarted proftpd:
<Directory /home>
<Limit ALL>
AllowUser ftpadm
DenyAll
</Limit>
<Limit STOR>
AllowAll
</Limit>
</Directory>
However, this allows users to upload and ftpadm can browse any directory but 12345 can create directories, create files, edit files, list and more - how can I lock all users except for one down only being able to upload files?
You might try using something like this:
<Directory />
<Limit STOR STOU>
AllowUser ftpadm
DenyAll
</Limit>
</Directory>
The ProFTPD Limits howto has more examples which also be of interest.
Hope this helps!
I've tried everything. I read other how to threads here and elsewhere. I have the following in my apache2 site configuration file:
<Directory /var/www/html/site_root/>
AllowOverride All
</Directory>
</VirtualHost>
There is no other occurence of "AllowOverride" in the site conf file so it's not a case of something earlier in the file overriding this (don't even know if that's possible). I also tried '/var/www/html/site_root'.
If I try either of the following (or both) in my /var/www/html/site_root/.htaccess file:
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>
<Files "xmlrpc.php">
Order Allow,Deny
Deny from all
</Files>
I get 520s and the whole site is crashed. I also tried /xmlrpc.php or "xmlrpc.php" without "" and ./xmlrpc.php etc. No matter what I do my error log is full of:
[Thu Dec 03 18:05:25.628237 2015] [core:alert] [pid 6956] [client 192.168.0.1:56529] /var/www/html/site_root/.htaccess: order not allowed here
How can this be and why is this so difficult to do?
My purpose is to block access to /xmlrpc.php. This is an absolute Achilles heel for WordPress. It is very easy to crash and burn any site by just hitting this over and over and over again. For some reason WordPress leaves it wide open by default and Cloudflare is not able to detect or protect against these attacks. They happen all the time and it brings down the server completely.
Thanks.
The best answer I found is this:
If your server is an Apache, you can block access before WordPress is even reached with one line in your .htaccess:
Redirect 403 /xmlrpc.php
You can add another line to keep the response short:
ErrorDocument 403 "die"
That will send a very minimal response (three bytes plus HTTP headers), and it will save your resources for better traffic.
Source:
https://wordpress.stackexchange.com/questions/156522/restrict-access-to-xmlrpc-php
Please go vote up the answer at the wordpress stack, by user #toscho. I don't have enough reputation. Toscho's answer is is way better than the accepted answer because you can deny access in .htaccess and still burn up server resources loading the 404 in Wordpress. His answer actually saves you one byte over mine.
Well did you restart your server after you made changes to apache2.config? Secondly there is a difference between order allow,deny AND order deny,allow
Try using this
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
You can also disable the XML-RPC Feature, from the system itself. Just put this in your wp-config
add_filter('xmlrpc_enabled', '__return_false');
Update: Some clarification:
I agree with jason, blocking xmlrpc.php at the htaccess level is always a much better idea because even if you disable it through the filter, the site still goes through the whole request cycle. Here filters is just being used as a safeguard from someone getting in, but the site is still open to DDOS attacks. In short usage of filters is only for people who are using it for some other purposes and not finding an escape from DDOS attacks, for eg if someone doesn't have access to the htaccess file.
We've tried a few things that we found around Google for this, but can't seem to get anything to work.
The Problem
We have a server with around 500 Wordpress websites on it. We're trying to lock down all the wp-login.php pages for every instance to the IP address of our office using a global htaccess - but the individual Wordpress htaccess files are overriding this.
The Environment
We're hosted on an AWS Linux server running Plesk to manage each website / Wordpress instance.
The Question
Is there a way we can set one htaccess file on the server to lock down all of the Wordpress login pages without the individual htaccess files overriding this?
any help or suggestions for a good way to do this, would be appreciated.
Thanks in advance
I assume that you have read up on the RewriteOptions directive. As I explain in Tips for debugging .htaccess rewrite rules and as you have found with WP which generates its own .htaccess files, by default the current path is scanned for .htaccess and the rewrite rules in the lowest are applied unless a higher one specifies a RewriteOptions Inherit in which case it's rules are executed after rules specified in the child scope, and this is the catch-22 in that WP access file generates a [L] flag on all its execution paths preventing the parent rules from firing.
So the answer is to do this with an Apache mechanism other than rewrite and you can use the SetEnvIf directive:
SetEnvIf Remote_Addr "!^192\.168\." forbidden
<Files *>
Order allow,deny
Allow from all
Deny from env=forbidden
</Files>
or
SetEnvIf Remote_Addr "!^192\.168\." forbidden
<Directory /var/www/wproot>
Order allow,deny
Allow from all
Deny from env=forbidden
</Directory>
Clearly you'll need to change the Regexp to your local needs but this should do the biz. The Apache docs give other variants on this, but you should be able to find one which works in your case. Just put this in the a per-virtual server context -- within a Directory(Match) directive if necessary -- or in a common parent directory .htaccess file.
I ended up getting this to work with your first suggestion, but actually without the SetEnvIf line being required, so thanks very much! this was my .htaccess in the /var/www/vhosts folder for anyone else needing this:
<files wp-login.php>
order deny,allow
deny from all
Allow from xxx.xxx.xxx.xxx
</files>
Nice and simple and completely different from the previous routes I was trying to take for this.
I want to add protection to my wordpress site by specifing what ip addresses can access the admin dashboard. I've created a .htaccess file in /wp-admin folder and added the code. However it seems that the .htaccess file is being completely ignored. Does anybody know why this is happening.
Code:
order deny,allow
allow from 000.000.000.000 (my ip address)
deny from all
you would need to create a new .htaccess file in your text editor and upload to your wp-admin folder.
For more details please refer the link:
http://codex.wordpress.org/Brute_Force_Attacks#Limit_Access_to_wp-admin_by_IP
Copy code
order deny,allow
allow from 202.090.21.1 (replace with your IP address)
deny from all