I've searched this site without finding the answer to my specific query. Many apologies if I have overlooked the answer.
I'm looking to block direct access to the files in a folder - which I have learned I can do with "deny from all" in .htaccess - AND allow WordPress access to these files. The idea is not to let anyone access the images directly, but still have them show up in blog posts. When I use "deny from all", WordPress does not have access. How do I fix that?
When you say "allow WordPress access to these files", I'm guessing what you really mean is "allow people who are on a WordPress page to have direct access to these files", because it's not wordpress that is accessing the files, it's still the client/browser accessing them directly. That's why when you use Deny from all, they can't see images linked in a word press page.
You can deny by referer, though there's easily ways to get around that. Something like this in the htaccess file in your document root for example (preferably before any wordpress rules):
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://your.wordpress-site.com/ [NC]
RewriteRule \.(jpe?g|gif|png)$ - [NC,L,F]
would deny access to images if the images aren't linked from your wordpress site (replace your.wordpress-site.com with the hostname of your site).
Related
I have moved my phpBB board from dommain.com to domain.com/forum.
I have launched a Wordpress website on domain.com.
As a consequence, all links to topics on my board end up on a 404 page of my Wordpress website on domain.com
I would like to redirect links to topics on my board.
For example:
Redirect: example.com/viewtopic.php?f=17&t=35
To: example.com/forum/viewtopic.php?f=17&t=35
So only /forum should be added.
Is changing the .htaccess file of my WordPress website the best way to do this? And if so, what would be the correct code?
Of are there better ways (faster/better for SEO) that I don't know of.
Is changing the htaccess file of my Wordpress website the best way to do this?
Implementing this in the root .htaccess file is a reasonable way to do this, unless you have access to the main server config. Alternatively, you could perform this redirect in PHP (in WordPress), but that puts the burden on your WordPress site.
For example, at the top of your root .htaccess file, before the existing WordPress directives (ie. before # BEGIN WordPress) try the following:
# Redirect old forum topics to "/forum" subdirectory
RewriteRule ^viewtopic\.php$ /forum/$0 [R=301,L]
Any query string is passed through by default. So, a request for /viewtopic.php?<something> is redirected to /forum/viewtopic.php?<something>.
The $0 backreference contains the URL-path matched by the entire RewriteRule pattern. ie. "viewtopic.php" (this simply saves repetition).
NB: You should test first with a 302 (temporary) redirect to avoid potential caching issues.
The domain names used are only examples, so if you could use those example names in your answer that would be great. I'm having a very hard time wording exactly what I'm trying to do and because of that can't find the answer via searching, so I'm posting it as this analogy:
I work for a company that makes WordPress sites. We'll call that company SuperMedia, and their main website is supermedia.com. SuperMedia wants to host their clients' sites on their own server via subfolders. So in this case, we've created a client's WordPress site in the directory http://supermedia.com/greatclient/
The issue is that our client has a domain name, friendlyclient.com, and we need to link this domain name to their site which we are hosting on our server, but we don't want the urls to show "supermedia" at all.
So in simplest terms, right now all of our page urls look like this:
http://supermedia.com/greatclient/about
http://supermedia.com/greatclient/our-services
http://supermedia.com/greatclient/gallery
(etc...)
But we want them all to say:
http://friendlyclient.com/about
http://friendlyclient.com/our-services
http://friendlyclient.com/gallery
(etc...)
but still display the information on http://supermedia.com/greatclient/about, http://supermedia.com/greatclient/our-services, http://supermedia.com/greatclient/gallery, etc. respectively.
Is there a simple, fairly fast way to do this for all the pages we've created, either using .htaccess or some kind of plugin? I don't have a lot of back-end programming/database knowledge, so if it involves advanced programming, could you lay-out some steps on how I can achieve this?
If you are using apache, you can use mod_rewrite to do the rewriting. Try adding this to your .htaccess file(In the friendlyclient.com root folder)
# Match the host
RewriteCond %{HTTP_HOST} ^([^\.]+)\.com$ [NC]
# proxy the entire request to the /host/ and path
RewriteRule ^(.*)$ http://www.supermedia.com/%1/$1 [L,P]
This will make it so requesting http://friendly.com/about will serve http://www.supermedia.com/friendlyclient/about and dont forget to rename ur folder, from greatclient to friedlyclient
I'm planning on using Wordpress on an upcoming project and the biggest question for me is security.
I will be having several users who will be able to update the site and I've given myself several options. I can build a static web page and then have a 'blog' page that is using a WordPress install for that page only. This seems a bit excessive just for a blog feature, but it's an option.
The other option I'm looking at is a full WordPress install to power the whole site. My big issue is blocking the /wp-admin from everyone but the people at a static IP that won't be changing. I'm thinking if I go this route I can use my .htaccess to check the IP and if it returns false, redirect it to the homepage. If it is true, then continue on to the wp-admin login page.
If I go with my second option, how do I use .htaccess to check the IP and if it returns false, redirect back to the homepage. And if it's true, continue to the WordPress login page.
Is this best starting point?
<Location /wp-admin/>
order allow,deny
allow from 1.1.1.1
deny from all
</Location>
I appreciate any input ahead of time!
You cannot use Location in a .htaccess file. As you can see from the Context it is only allowed in the main server configuration file or in a virtual host section.
Furthermore, you shouldn't use it for security, if wp-admin is a real directory in the file system
<Location> Directive
<Location> sections operate completely outside the filesystem. This has several consequences. Most importantly, <Location> directives should not be used to control access to filesystem locations. Since several different URLs may map to the same filesystem location, such access controls may by circumvented.
If you use Access control by host, the order should be
Order deny,allow
Deny from all
Allow from 1.1.1.1
This ensures, that anybody is prohibited to access /wp-admin/, except the given IP addresses or domains.
I think this is documented here: http://httpd.apache.org/docs/trunk/howto/auth.html
You may need to couple it with this: http://httpd.apache.org/docs/2.2/howto/htaccess.html, and this: http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#require
But, it appears that something like this could work:
<Directory /wp-admin/>
Require ip 192.168.1.104 192.168.1.205
</Directory>
Full disclosure: I'm guessing.
I was able to use what Olaf Dietsche wrote to lead me in the right direction. By putting the below code in my wp-admin folder instead of the root, I was able to control who had access to my url/wp-admin login and if they didn't match the allowed IP, then I redirect them back to the home page.
Options +FollowSymlinks
RewriteEngine on
#urls to exclude
RewriteCond %{REQUEST_URI} !/wp-admin$
RewriteCond %{REQUEST_URI} !^/images$
RewriteCond %{REQUEST_URI} !^/$
#ip to allow access
RewriteCond %{REMOTE_HOST} !^111\.111\.111\.111$
#send to root. If you want a specific URL, use /yourcustomurl.html
RewriteRule .? / [R=302,L]
I appreciate the input everyone. And thank you much!
We have a multi-tenant web application where customers can set up custom domains for their site.
When an invalid domain is requested we need to display an error page on a different domain. What is the correct way to handle this? I thought perhaps issuing a 303 to a page on the other site that always returns 404. Will this keep search engines happy?
I am still trying to determine the need for this. As not a lot of information is provided to why its needed. There are many hosts that let users create places for themselves. When any error happens it simply links to the local 404. So why is it needed to go to another domain for 404? As setting a error document 404 with a domain and sub domains. The local 404 is called for all of them. It doesn't just 404 for the main domain, while leaving the sub domains clueless. As for allowing users to set up custom domains I'm guessing that was a typo. And you meant "custom sub domains". Unless that was correct, and its in some way to allow customers to buy hosting packages from you. For which they can sell back to their own customers. If the latter is correct. You would just need to set up their environment correctly. Though I figure you meant sub domain.
ErrorDocument 404 /404.html
There are a few better ways to do the below. Just supplying the quickest.
As for wanting to bounce the 404 to another domain you still can:
In .htaccess do :
ErrorDocument 404 /404.html
In the local 404.html use :
<meta http-equiv="refresh" content="0; url=http://example.com/">
Mind you can use other methods.
First, try to find an application in your control panel on your web host, that will allow you to create an error page. If you're using cPanel, this application is named as Error Pages which heading with Advanced header. After finding this app., now create a file of 404 (Not found) error page. In cPanel, there are specific “Referring URL”, “Visitor’s IP address”, “Requested URL”, “Server name”, “Visitor’s browser” and “Redirect Status Code” tags for this SSI-enabled file, and after saving 404 error page, it will be saved into 404.shtml with an extension for a file that recognized by a web server as an SSI-enabled HTML file. If ever there's no Error Pages app. in your c-panel, try to create an error page manually with .shtml extension if your server is configured to allow this. If it's not allowable or if the file become unreadable, you can still use another extension, but for a web server, it's not recognized as an SSI-enabled HTML file.
The best way is to rewrite and not to redirect all the empty subdomains, into /404.shtml but first, make sure that there's a rewrite engine in your account. Now we will going to rewrite all those subdomains with mod_rewrite. Try to find a .htaccess file in your file manager. That file is often found in the same folder where your index page is located. If there's no file like that, you can create a new one in the folder where your index located. This code must be at the very top of your empty .htaccess source, and DO NOT REMOVE it while testing the following sets of conditions and rules below after this:
Options +FollowSymlinks
RewriteEngine on
And try to paste this directives below the two-lines code above:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
Rewrite ^(.*) /404.shtml
If the directives above didn't work, then try the following below:
RewriteCond %{REQUEST_URI} !-f
RewriteCond %{REQUEST_URI} !-d
Rewrite ^(.*) /404.shtml
However, if you didn't want to redirect those empty subdomains, just add a [R] flag after the file extension of the rule, just don't forget a single space before the flag.
To keep the search engines happy, let the 404 appear to be from the invalid domain by Domain masking. This will prevent accumulating poor reputation owing to too many redirects over time. An occasional redirect to canonical document is good as it means you are practicing DRY(Don't Repeat Yourself) by redirecting to the canonical IRI qualified for search juice. Use meta noindex on the 404 page to prevent search engines from remembering the invalid custom domain IRIs.
I have a website and want to redirect all its pages to posts on my blog. I browsed through my website folder but could not find the '.htaccess' file. Is it provided by the web hosting or can I create my own and use it? Can it be only used with Apache server.
If that's not possible what other option do I have for redirection.
Janice
You create your own .htaccess, by simply opening a document and saving it as .htaccess.
You'll want something like this in it:
RewriteEngine on
RewriteRule ^(.*)$ http://domain.com/$1 [R=301,L]
Perhaps you just don't see the .htacces file. The dot at the beginning of the file name indicates that this is a hidden file and will not be displayed normally.
If you don't want to mess around with editing your .htaccess file, Redirection is a good Wordpress plugin that handles 301 redirects, logs, etc. and is easy to use.
.htaccess is for Apache only, other web servers have their own methods of configuration and do not use .htaccess files.
Since this is tagged "Wordpress" maybe you are using that? Wordpress will create one after you've turn on pretty permalinks.