.htaccess Plugin Blocks Spam, Hackers, and Password Protects Blog

« Encrypted WordPress / phpBB Backups.htaccess files - Ultimate htaccess Tutorial »

Jul 06, 08

I finally got around to updating this plugin, its now half-way decent code-wise. I’ve added a lot of new security modules and improved the old ones. The original plugin page and description can be found here. You can thank this guy for this update, his article about blocking spam with .htaccess inspired me to do it.

.htaccess Security Modules

Directory Protection

Enable the DirectoryIndex Protection, preventing directory index listings and defaulting. [Disable]

/.htaccess

Options -Indexes
DirectoryIndex index.html index.php /index.php

Password Protect wp-login.php

Requires a valid user/pass to access the login page - *** Safe, Use [401]

/.htaccess

<Files wp-login.php>
Order Deny,Allow
Deny from All
Satisfy Any
 
AuthName "Protected By AskApache"
AuthUserFile /home/askapache.com/.htpasswda1
AuthType Basic
Require valid-user
</Files>

Password Protect wp-admin

Requires a valid user/pass to access any non-static (css, js, images) file in this directory. - *** Safe, Use [401]

wp-admin/.htaccess

Options -ExecCGI -Indexes +FollowSymLinks -Includes
DirectoryIndex index.php /index.php
 
Order Deny,Allow
Deny from All
Satisfy Any
 
AuthName "Protected By AskApache"
AuthUserFile /home/askapache.com/.htpasswda1
AuthType Basic
Require valid-user
 
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|mp3|mpg|mp4|mov|wav|wmv|png|gif|swf|css|js)$">
Allow from All
</FilesMatch>
 
<FilesMatch "(async-upload)\.php$">
<IfModule mod_security.c>
SecFilterEngine Off
</IfModule>
Allow from All
</FilesMatch>

Protect wp-content

Denies any Direct request for files ending in .php with a 403 Forbidden.. May break plugins/themes [401]

/.htaccess

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-content/.*$ [NC]
RewriteCond %{REQUEST_FILENAME} !^.+flexible-upload-wp25js.php$
RewriteCond %{REQUEST_FILENAME} ^.+\.(php|html|htm|txt)$
RewriteRule .* - [F,NS,L]

Protect wp-includes

Denies any Direct request for files ending in .php with a 403 Forbidden.. May break plugins/themes [403]

/.htaccess

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-includes/.*$ [NC]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ /wp-includes/js/.+/.+\ HTTP/ [NC]
RewriteCond %{REQUEST_FILENAME} ^.+\.php$
RewriteRule .* - [F,NS,L]

Common Exploits

Block common exploit requests with 403 Forbidden. These can help alot, may break some plugins. [403]

/.htaccess

RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ ///.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\=?(http|ftp|ssl|https):/.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\?.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(asp|ini|dll).*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(htpasswd|htaccess|aahtpasswd).*\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]

Stop Hotlinking

Denies any request for static files (images, css, etc) if referrer is not local site or empty. [403]

/.htaccess

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{HTTP_REFERER} !^http://www.askapache.com.*$ [NC]
RewriteRule \.(ico|pdf|flv|jpg|jpeg|mp3|mpg|mp4|mov|wav|wmv|png|gif|swf|css|js)$ - [F,NS,L]

Safe Request Methods

Denies any request not using GET,PROPFIND,POST,OPTIONS,PUT,HEAD - *** Safe, Use [403]

/.htaccess

RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|PROPFIND|OPTIONS|PUT)$ [NC]
RewriteRule .* - [F,NS,L]

Forbid Proxies

Denies any POST Request using a Proxy Server. Can still access site, but not comment. See Perishable Press [403]

/.htaccess

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]

Real wp-comments-post.php

Denies any POST attempt made to a non-existing wp-comments-post.php - *** Safe, Use [403]

/.htaccess

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]

HTTP PROTOCOL

Denies any badly formed HTTP PROTOCOL in the request, 0.9, 1.0, and 1.1 only - *** Safe, Use [403]

/.htaccess

RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ .+\ HTTP/(0\.9|1\.0|1\.1) [NC]
RewriteRule .* - [F,NS,L]

SPECIFY CHARACTERS

Denies any request for a url containing characters other than “a-zA-Z0-9.+/-?=&” - REALLY helps but may break your site depending on your links. [403]

/.htaccess

RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [a-zA-Z0-9\.\+_/\-\?\=\&]+\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]

BAD Content Length

Denies any POST request that doesnt have a Content-Length Header - *** Safe, Use [403]

/.htaccess

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Length} ^$
RewriteCond %{REQUEST_URI} !^/(wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]

BAD Content Type

Denies any POST request with a content type other than application/x-www-form-urlencoded|multipart/form-data - *** Safe, Use [403]

/.htaccess

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Type} !^(application/x-www-form-urlencoded|multipart/form-data.*(boundary.*)?)$ [NC]
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]

Directory Traversal

Denies Requests containing ../ or ./. which is a directory traversal exploit attempt - *** Safe, Use [403]

PHPSESSID Cookie

Only blocks when a PHPSESSID cookie is sent by the user and it contains characters other than 0-9a-z - *** Safe, Use [403]

NO HOST:

Denies requests that dont contain a HTTP HOST Header. - *** Safe, Use [403]

/.htaccess

RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{HTTP_HOST} ^$
RewriteRule .* - [F,NS,L]

Bogus Graphics Exploit

Denies obvious exploit using bogus graphics - *** Safe, Use [403]

/.htaccess

RewriteCond %{HTTP:Content-Disposition} \.php [NC]
RewriteCond %{HTTP:Content-Type} image/.+ [NC]
RewriteRule .* - [F,NS,L]

No UserAgent, No Post

Denies POST requests by blank user-agents. May prevent a small number of visitors from POSTING. [403]

/.htaccess

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]

No Referer, No Comment

Denies any comment attempt with a blank HTTP_REFERER field, highly indicative of spam. May prevent some visitors from POSTING. [403]

/.htaccess

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC]
RewriteCond %{HTTP_REFERER} ^-?$
RewriteRule .* - [F,NS,L]

Trackback Spam

Denies obvious trackback spam. See Holy Shmoly! [403]

/.htaccess

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_USER_AGENT} ^.*(opera|mozilla|firefox|msie|safari).*$ [NC]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.+/trackback/?\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]

SSL-Only Site

Redirects all non-SSL (https) requests to your https-enabled url [301]

Anti-Spam, Anti-Exploits

Denies Obvious Spam and uses advanced mod_security protection [Read More]

.htaccess Security Module Screenshot

« Encrypted WordPress / phpBB Backups.htaccess files - Ultimate htaccess Tutorial »

Reader Comments

1. Dieter says:August 03, 17h
   

   Have tried most of the setings with a live site and the rewrite stuff works so far on Apache 1.3.33 and Apache 2.2.xx.

   This never worked for me. I’ve tried it with all kinds of proxies, but no blocking at all.

   RewriteEngine On
   RewriteCond %{HTTP:VIA}                 !^$ [OR]
   RewriteCond %{HTTP:FORWARDED}           !^$ [OR]
   RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]
   RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]
   RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]
   RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]
   RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
   RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$
   RewriteRule ^(.*)$ - [F]

   This:

   RewriteCond %{REQUEST_METHOD} =POST
   RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
   RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
   RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
   RewriteRule .* - [F,NS,L]

   ends up in a 404. I for myself would say this is not a good solution. Personally i use a php script to block proxies and WHAT I THINK IS VWERY IMPORTANT the tor network.

   This:

   #Protect wp-content
   #Denies any Direct request for files ending in .php with a 403 Forbidden.. May break plugins/themes
   #RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-content/.*$ [NC]
   #RewriteCond %{REQUEST_FILENAME} !^.+flexible-upload-wp25js.php$
   #RewriteCond %{REQUEST_FILENAME} ^.+\.(php|html|htm|txt)$
   #RewriteRule .* - [F,NS,L]

   stops firestats working and i know a lot of people prefer firestats over google analytics.

   Sorry for asking, but for what is this ugly peace of rewrite:

   RewriteCond %{REQUEST_METHOD} =POST
   RewriteCond %{HTTP_USER_AGENT} ^.*(opera|mozilla|firefox|msie|safari).*$ [NC]
   RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.+/trackback/?\ HTTP/ [NC]
   RewriteRule .* - [F,NS,L]

   I use something like this:

   RewriteRule ^wp-trackback\.php.*$ - [F,L]

   -Dieter

2. Falcon1986 says:July 12, 10h
   

   Thanks for posting the actual code that goes into the .htaccess file! Yesterday morning I implemented a few of the edits and my site was working just fine. However, upon revisiting my site in the afternoon I got an immediate 500 Internal Server error. I thought this was strange because the site was working fine after I applied the edits to my .htaccess file. My web host’s tech support had to go in and reset my .htaccess file for me to regain access. Now, I apply each of your edits one at a time before proceeding to the next so I can isolate the exact entry that causes the problem.

   Keep up the good work!

3. AskApache says:July 11, 18h
   

   @Marco

   Great idea, I’m working on it..

   @Grant

   Yes you are right I apologize for the inconvenience, I have to reconfigure all my settings every upgrade as well. Until the code becomes more stable i.e. future-proofed I’m not going to implement that. Look for that feature in 4.5 in a week or 2.

   Also, as annoying as it may be to have to set everything up each upgrade, realize that each time you go through the settings you are actually learning a little bit more about what this plugin does and puts you more in control of your sites security.

4. Grant Barrett says:July 10, 9h
   

   Every time I update the plugin, all my previous settings are wiped out. Is there a way to keep them? It forces me to redo my htaccess user/pass setting, as well as re-tick all the check boxes in the AA configuration page.

5. Marco says:July 07, 3h
   

   Sounds great,

   could you please post a .htaccess example file generated by the plugin its maybe usefull for other CMS systems too.

   would be great.

   regards

6. jardel says:July 06, 22h
   

   good!
   i wouldn’t use it due to some limitations, like user enabled wordpress andusing subdirectories and subdomains for some other things

   Your list of bad robots to block in htaccess resolves everything for me
   dude, my akismet doesn’t have spam for months!

Like honey.. We Keep em' Buzzin