[wp-hackers] Add .htaccess rules to prevent access to wp-config.php by default

jackie sparks jackie.craig.sparks at live.com
Tue Dec 20 13:14:56 UTC 2011


I like to install wp-sentinel on my blog installs then I use the following htaccess. Wp-sentinel will log and block recursive file access injections from url and the following will block people who are snooping, trying to see if you have +Indexes set in your htaccess.


# DO NOT SHOW DIRECTORY LISTING
# If you are getting 500 Errors when activating BPS then comment out Options -Indexes 
# by adding a # sign in front of it. If there is a typo anywhere in this file you will also see 500 errors.
Options -Indexes
#Rewrite anyone who is trying to snoop into the directories to be logged by wp-sentinel

RewriteBase /

RewriteCond %{REQUEST_FILE} !-f

RewriteRule ^([^/.]+)/?$ /?s=../../dirblock1 [R=301,L]

RewriteRule ^([^/.]+)/([^/.]+)/?$ /?s=../../dirblock2 [R=301,L]

RewriteRule ^([^/.]+)/([^/.]+)/([^/.]+)/?$ /?s=../../dirblock3 [R=301,L]
RewriteRule ^([^/.]+)/([^/.]+)/([^/.]+)/([^/.]+)/?$ /?s=../../dirblock4 [R=301,L]

RewriteRule ^([^/.]+)/([^/.]+)/([^/.]+)/([^/.]+)/([^/.]+)/?$ /?s=../../dirblock5 [R=301,L]
# BLOCK HOTLINKING TO IMAGES
# To Test that your Hotlinking protection is working visit http://altlab.com/htaccess_tutorial.html
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?raskitchen\.com [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpeg|jpg|gif|bmp|png)$ – [F]
> Date: Tue, 20 Dec 2011 11:51:51 +0000
> From: barry at barrycarlyon.co.uk
> To: wp-hackers at lists.automattic.com
> Subject: Re: [wp-hackers] Add .htaccess rules to prevent access to wp-config.php by default
> 
> Like the media temple problem. With the PHP being plain text.
> A wp-config.php in the accesasble folder you can just stick in a
> include(../../path to file); anywhere on the system linking the the actual
> file.
> 
> WP only looks one directory up which is annoying since it should do
> $_SERVER['DOCUMENT_ROOT'] and go one up me thinks.
> 
> On Fri, Dec 16, 2011 at 1:37 PM, jackie sparks <jackie.craig.sparks at live.com
> > wrote:
> 
> >
> >
> >
> >
> >
> >
> > Well with file recursion exploits one can usually go as far back as the
> > passwd and group file so as long as anyone can read it it can be a problem.
> >
> > Then from the passwd file you can figure out what accounts are on the
> > system...
> >
> > > Date: Fri, 16 Dec 2011 13:28:15 +0000
> > > From: aero.maxx.d at gmail.com
> > > To: wp-hackers at lists.automattic.com
> > > CC: jackie.craig.sparks at live.com
> > > Subject: Re: [wp-hackers] Add .htaccess rules to prevent access to
> > wp-config.php by default
> > >
> > > I just thought it maybe too far back in the directory structure that
> > > wordpress would not look for the wp-config.php file 2 directories back
> > > and look only 1 directory back.
> > >
> > > On 16/12/2011 12:52, jackie sparks wrote:
> > > >
> > > > Why not as long as the user/apache has permission to access it. So I
> > figure it would work with 644( xr-r-r ) permissions
> > > >
> > > >> Date: Fri, 16 Dec 2011 12:22:27 +0000
> > > >> From: aero.maxx.d at gmail.com
> > > >> To: wp-hackers at lists.automattic.com
> > > >> Subject: Re: [wp-hackers] Add .htaccess rules to prevent access to
> > wp-config.php by default
> > > >>
> > > >> On 15/12/2011 17:10, Mike Little wrote:
> > > >>> On 15 December 2011 09:00, Liam Gladdy<liam at storm-consultancy.com>
> >   wrote:
> > > >>>
> > > >>>> I have a suggestion, too.. Is there any reason why, when wordpress
> > > >>>> writes its rules to .htaccess, it doesn't also write the security
> > > >>>> protection to deny all access to wp-config.php? Obviously, for the
> > > >>>> most part this isn't needed, but this morning media temple had a
> > > >>>> catastrophic configuration change which lead to the PHP handlers not
> > > >>>> being registered, and all PHP files being downloaded as plain text
> > on
> > > >>>> one of their clusters.
> > > >>>>
> > > >>>> If wordpress wrote a deny rule to .htaccess, this would negate that
> > > >>>> event opening access to database passwords.
> > > >>>>
> > > >>>> I'd suggest something along the lines below are added to the
> > htaccess
> > > >>>> file by the wordpress installer:
> > > >>>>
> > > >>>> <files wp-config.php>
> > > >>>> order allow,deny
> > > >>>> deny from all
> > > >>>> </files>
> > > >>>>
> > > >>>> Thanks, and have a great upcoming holiday :)
> > > >>>>
> > > >>>>
> > > >>> Hi Liam,
> > > >>>
> > > >>> WordPress does not automatically set up .htaccess files (it can't:
> > some
> > > >>> hosts don't allow them), but you can move your wp-config.php up one
> > > >>> directory level (towards root), so that it will be out of Apache's
> > document
> > > >>> root. That will work on all sites regardless of whether they have
> > .htaccess
> > > >>> files.
> > > >>>
> > > >>> As to the media temple error: Ouch! There's a reason I haven't used
> > shared
> > > >>> hosting for several years!
> > > >>>
> > > >>> Mike
> > > >> What if you have your wordpress install in a folder called wordpress
> > and
> > > >> the wp-config.php is in here, moving it up one directory would still
> > be
> > > >> in Apache's document root, is it possible to move it up 2 directories
> > > >> and for it to still work ?
> > > >>
> > > >> I prefer to have a tidy server and not have non wordpress files mixed
> > in
> > > >> among wordpress files.
> > > >> _______________________________________________
> > > >> wp-hackers mailing list
> > > >> wp-hackers at lists.automattic.com
> > > >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > >
> > > > _______________________________________________
> > > > wp-hackers mailing list
> > > > wp-hackers at lists.automattic.com
> > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> 
> 
> 
> -- 
> Barry Carlyon
> Freelance Web Developer
> Freelance Lighting/AV Engineer
> 
> http://barrycarlyon.co.uk
> 
> mobile: 07729 048 443
> skype: barrycarlyon
> email: barry at barrycarlyon.co.uk
> msn: barry at barrycarlyon.co.uk
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
 		 	   		  


More information about the wp-hackers mailing list