.htaccess Plugin Blocks Spam, Hackers, and Password Protects Blog

My Picks

• Mod_Rewrite Tips and Tricks
• Crazy Advanced Mod_Rewrite
• THE Ultimate Htaccess
• THE Mod_Rewrite Cheatsheet
• 
  
  
  
• Elite Log Viewing
• DNS: Round Robin Speed
• Fsockopen: Nuts
• Rsync and SSH

Support Freedom or Die

• Electronic Frontier Foundation
• Help the GNU Project
• Volunteer for Tor

Newest Posts

• PHP Session File Hacks
• Debugging Tools for Windows
• Crazy POWERFUL Bash Prompt

The love of liberty is the love of others; the love of power is the love of ourselves.
-- William Hazlitt

The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect. Tim Berners-Lee

Leave your own comment

Reader Comments

1. RWW ~

   July 12, 2010

   I’m trying to set up AskApache, but the radio buttons for Authentication Scheme and Encryption Preferences are greyed out. If I save the settings anyway, the .htpasswda3 file gets created, but there is no password information in it.

   How do I resolve this?

2. Mike ~

   These errors appear at the top of the page for “Password Configuration” and “SID Module Management” when I click on any “Activate” (and a box of .htaccess code appears at the top). What is causing this?

   Warning: array_merge() [function.array-merge]: Argument #1 is not an array in /home/prostro/public_html/wp-content/plugins/askapache-password-protect/askapache-password-protect.php on line 1316
   
   Warning: join() [function.join]: Invalid arguments passed in /home/prostro/public_html/wp-content/plugins/askapache-password-protect/askapache-password-protect.php on line 1319
   
   Warning: array_merge() [function.array-merge]: Argument #1 is not an array in /home/prostro/public_html/wp-content/plugins/askapache-password-protect/askapache-password-protect.php on line 1316
   
   Warning: join() [function.join]: Invalid arguments passed in /home/prostro/public_html/wp-content/plugins/askapache-password-protect/askapache-password-protect.php on line 1319
   
   Warning: array_merge() [function.array-merge]: Argument #1 is not an array in /home/prostro/public_html/wp-content/plugins/askapache-password-protect/askapache-password-protect.php on line 1316
   
   Warning: join() [function.join]: Invalid arguments passed in /home/prostro/public_html/wp-content/plugins/askapache-password-protect/askapache-password-protect.php on line 1319
   

3. Eddie ~

   I’ve moved my .htaccess file from the wordpress directory to the directory below it (so that I can access my wp install through www.domain.com instead of www.domain.com/wordpress). Ask Apache doesn’t work for me in this case, it’s getting a lot of the directory setting wrong in the test (as seen from the verbose output). Any tips?

   Eddie

4. SleeplessinDC ~

   It would be nice if you allowed the dates to show in these comments so we don’t waste our time looking at out of date problems and to be able to know what order they are in.

   I’m not sure if this comment is even going to get posted because I wrote an answer to gon and it hasn’t appeared. Then I wrote a separate comment about problems I’m having and what steps I took. It was long and detailed. As soon as I clicked on the “Add Your Opinion” button, I got a page saying Firefox couldn’t find this page or the comment. The Back button didn’t get me back to the comments–everything is gone.

   Without dates below, I have no way of knowing whether these are from 2005 or more recent. Is the developer still looking at the comments and working on solutions?

5. SleeplessinDC ~

   The plugin is a great idea and I’d like to get it to work. Even though I solved the mystery of the .htpasswda3 file, I am having problems with the plugin. Is it possible to run this plugin when WordPress is in a subdirectory of a regular HTML site that doesn’t require a logon to use?

   In the tests, I put the absolute URL for where the blog is. The wording for this field is confusing. It says one or two URIs in the same space that require the same authname, username, and password. My site is not set up that way. A separate username and password is used for the blog. It is not the same as the FTP logon for the main site because I only want authors and contributors to the blog to have access to the blog and not the whole site.

   Although I set the field pointing to the blog in the subdirectory, the .htpasswda3 file was created outside the blog directory. Assuming that most people will be working with a standalone WordPress installation, the .htpasswda3 file would normally be created in the root of the WordPress files. So I moved the file that was made outside the WordPress directory and put it into the WP root. Then I ran the test again and specified that link for the .htpasswda3 file in the WordPress directory.

   I activated Password Protect wp-login.php and wp-admin. Then I tried to go to my blog and I keep getting an Authentication Required window that says: A username and password are being requested by http://www.domain.name. The site says: “Protected By AskApache” I’ve tried entering the FTP logon info but that isn’t accepted and I even tried the blog logon info even though the blog is not at that level. But nothing is accepted.

   In addition, all the CSS styling for both the main site and the WordPress site is not being used. How would this plugin affect that?

   I am hoping that this plugin will allow me to protect the WordPress directory, wp-login, and wp-admin from unwanted users and allow multiple registered authors, editors, and contributors to log on with a password. I’m going to remove the plugin until someone can tell me how to make it work with WordPress in a subdirectory. I am using WordPress 2.8.5.

6. SleeplessinDC ~

   I got the same error about the .htpasswda3. I looked at my files and it had been created but it had zero contents. I went back to the section below that error message and decided to click on the first module for Password Protect wp-login.php

   That made the error message go away. In its place was a yellow box with the code that had been written to the .htaccess file.

7. gon ~

   hi! this pluging seems to be great but

   im having a ERROR: Failed to create /home/user/.htpasswda3

   my .htaccess is writable but i have a red box in
   Digest Authentication Attempt and
   2nd Digest Authentication Attempt

   it may be the reason of my first error.

   can i ask how to solve this?

8. Robert Nelson ~

   Installed plug-in, ran tests, activated first two items on your plug-ins set up page, now I can’t access Wp-admin. Tried going to my cpanel and deleting everything in your plug-in. No help. I still can’t access my wp-admin. How to solve?

9. AskApache ~

   
   Oh yes use yubikey!

10. Ron ~

    Hi, thanks for a great looking plugin.

    I’m having problems however and I’m receiving this in the testing phase:

    ‘Bummer… you don’t have digest capabilities.’

    and this is stopping the plugin from working.

    What would cause this, and is it something I can do, or do I have to get onto my web host?

    Thanks for any help with this.

11. Signatur ~

    hi there,
    this plugin seems really good :)
    However, when i installed it and tested it i got
    the message that my server doesnt support authentication digest.

    is there anything i can do to change this?
    best , sarah
    Norway

12. Phil v. Sassen ~

    Hi, I am not able to use your plugin. The initial test fails. The result for “/wp-admin/.htaccess file writable” is shown twice. One time with a red status and one time with a green status. How could this be?

    Best regards from Berlin – Germany, Phil

    PS:

    File Permission Tests
    
    If any of these checks fail this plugin will not work. Both your /.htaccess and /wp-admin/.htaccess files must be writable for this plugin, those are the only 2 files this plugin absolutely must be able to modify. If any of the other checks fail you will need to manually create a folder named askapache in your /wp-content/ folder and make it writable.
    
    [ ] /wp-admin/.htaccess file writable
    [ ] /wp-admin/.htaccess file writable
    [ ] /kunden/sassen.org/.htpasswda3 file writable
    [ ] Creating test folder
    [ ] Test folder writable
    [ ] Basic Auth htpasswd file writable
    [ ] Digest Auth htpasswd file writable
    [ ] .htaccess test file writable
    

13. AskApache ~

    @fuzion

    Ya 2 things, first I have been swamped with work for the past like year, crazy swamped. But also I just learned how to write php classes and so I’ve been honing that skill (see the updated Google 404 Plugin) and getting a feel for it.

    Rest assured I’m still working on it, I just have to make sure it’s as good as I am telling you it is ;)

14. fuzion ~

    So, how’s this coming along? I haven’t seen any new posts from you in a while… hope everything’s ok :)

15. AskApache ~

    @claire

    The way he is accessing your website is the same way I would if I were to go visit. The difference is that he is doing it programmatically using some php file. The file could simply request the real page from your server masquerading as a normal request, and then he mirrors the download back off his server like a reverse proxy..

    This is a tough question as I’ve always been able to shut people down who tried doing it to me.. I did exactly what you did, I isolated his address by looking for time-correlations between the data they had and my servers access logs, blocked their whole country for a few weeks, and immediately told google about it.

    As long as Google and other companies know that they are still from you and you are legit, then something like this happening might actually help you in terms of SEO. Googlel really hates these people, so does everyone.

    The way I try to answer fun questions like this is I think about how easy it would be for me to steal your site and how much fun itd be to continue stealing your site no matter how much you tried to block me. And usually when I do that I think of a solution that would successfully stop me, but in this case I don’t know if I could stop me.. Very intriguing question I hope someone else can be more helpful.

    P.S. You could always post some identifying information about this person, IP or otherwise, some anonymous person might read about this and decide to help this person have a change of heart.

16. AskApache ~

    @buys

    I haven’t stopped. I learned how to program sockets, learned how to program with classes and objects, and now my code won’t be so darn ugly.. its not always a good thing to code like a hacker, as in trying to develop this thing.

    So the end result is that is is one very very serious program, maybe even good enough to become standard with wordpress releases.. we’ll see. (I have several clients pushing me to death on other projects at the momemt.. so hopefully no later than 2 months?) ahh! When did it all slip away? 2 months???

17. Claire The Unclever ~

    My website is being broadcast in a frame using some kind of script. The jerk doing this accessed it somehow through an archive I reposted.

    I found out the IP address (it’s in England). I blocked the IP from my host, but that didn’t work. I at least changed the contents of the post the site is broadcasting and I contacted Google ads to let them know the site is plagiarizing.

    I am only savvy enough to add graphics. Will this plug-in help remedy this particular problem? This is the second time my site has been cloned or redirected. The first time the host took the site down ASAP. This time, I have had no response.

    If you have any suggestions, I would greatly appreciate them.

    The site that is stealing from me is:

    http://tv.
    const
    anata
    .com/open.php?url=http://www.kneedeepinthehooah.com/2009/03/03/talkin-bout-my-generation/&title=Talkin019%20019bout%20my%20generation%20-%20Knee%20Deep%20in%20the%20Hooah!
    

18. johny ~

    my web host tells me the following WP 2.71 core files and variables are a security risk, for exploits:

    index.php      $_SERVER[DOCUMENT_ROOT],page
    errors.php     $error
    

    what can be done?

19. LIA ~

    Hey, i uploaded the plugin to my blog, filled in the name and password and suddenly i cannot access my blog!!!!!
    An error message appears:

    Internal Server Error 500

    Please help me, I’m desperate!

20. FIRE Finance ~

    @Falcon
    Thanks for your tip. We too had lost access to our site. Resetting the .htaccess brought the site back.

21. Balisugar ~

    I need help. I think I have many SQL injections with strange url’s like:

    mysite. com/"http:/www.mysite.com/category/uncategorized/
    mysite. com/page/2/?url=spammers.we.bs%252Ftest.txt%253F%253F%253F
    mysite. com/2008/04/world-wide-food-crisis/\\
    

    I’ve tried to use: Denies any request for a url containing characters other than "a-zA-Z0-9.+/-?=&

    RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
    RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [A-Z0-9\.\+_/\-\?\=\&\%\#]+\ HTTP/ [NC]
    RewriteRule .* - [F,NS,L]
    

    It seems to help forbidding strange url’s, but I’m not sure about “may break your site depending on your links”
    What does that mean? I used that code in my .htaccess file for about a week but took it off because I felt that my links and my site in Google SERP were slowly decreasing.
    My question: Is that the effect or that code doesn’t affect incoming links?

    Also, I still can’t fix an injection like:

    mysite. com/?ref=www.spammers-www.spammers.com-www.spammers.com

    I read some article advising the blocking of bad query strings like this:

     RewriteCond %{QUERY_STRING} ftp\:   [NC,OR]
     RewriteCond %{QUERY_STRING} http\:  [NC,OR]
     RewriteCond %{QUERY_STRING} https\: [NC]
     RewriteRule .* -                    [F,L]
    

    But the next morning, I found a lot more strange url’s similar to those above. What can I do about this? I’m newbie with .htaccess. I don’t really know which one is the right one for my site.
    Thanks.

22. buys ~

    Hi,

    Are you still working on this plugin? (AAPP v4.7)

    Thanks

23. Mike ~

    I have very little understanding of PHP, and many of the terms you use are like a foreign language to me. I do understand though that you are making great leaps forward and things are going well for you! Keep up the great work, and good luck with future releases!

24. Miguel ~

    It was a db backup plugin who blocked me… it wasnt the .htaccess

25. AskApache ~

    @ nukeit

    Thanks for the props, but it really wasn’t as hard as it may sound. I just hacked together a bash shell script that downloaded each version, unpacked it, and also installed/built them, all autopilot baby. Because apache is open-source like wordpress, it was amazingly easy (since I know bash intimately). All I had to do was read the release notes for each version, (which took a few hours but was fascinating) then customize the configurations and ran the script. The hard part was definately in finding each module and each directive allowed in .htaccess files. And the plugin is of course the hardest part cuz I’m not a php wizard by any stretch, and using php to control and test apache through .htaccess files in combination with socket networking to enumerate modules, directives, and other apache capabilities has never been done before, by any proggramming language.

26. nukeit ~

    I can’t believe you compiled 50+ (rough count) versions of Apache! Thanks for your hard work on this great (and soon to be better) plugin. The WP community owes you a debt of gratitude for your excellent work.

27. Rei ~

    This is a very good plugin!!

    I’ll test this on my test site first.

    Oh btw if you are reading this.

    Make a plugin or so to protect the upload folder.(Which is set by default by wordpress as wp-content/uploads)

    Hacker are attempting hack my website with .htaccess files.

    AddHandler cgi-script .php .pp
    

    I chmod folder to 755 so i can remove all those hacker stuff.

    Chmodding the upload folder to 777 was a bad idea.The hack thingy won’t go away lol.

    You could email me if you want to see the .htaccess, .pp and the php file.

28. Mike ~

    Hey, Thanks for this RAD plug-in. I am, however, having a little trouble getting it running. It may be that I am using WP v 2.6.3, but I keep getting an errors that my htpass and htacc are not readable or writeable. I’ve given them the proper permissions, and the self-diag even gives me greens, but I still get the errors when I’m doing pass protect or trying to add modules. Any help or thoughts would be greatly appreciated. Thanks.

29. AF ~

    These seem like some very important modifications although I am worried about having some plugins defaulting as a result.

30. icubyx ~

    Hi,
    I have been searching for something like this since a client’s site got hacked. Works like a charm – not bot attacks anymore. But now my problem is getting in. The login / password as I remember entering it, won’t let me in. I tried to find the htaccess file through ftp, but can’t find it anywhere…What can I do to login or recover the password?
    Thanks

31. Dan Nedelko ~

    Hey there,

    I ran the tests and my server config failed so I couldn’t use it, but it looks like the site is delivering the following URL’s:

    /category/breaking-news/?nomo=true

    Which are not rewriting anything causing HTTP errors. Any advice on correcting this? Hope that’s a decent amount of information, I’m not the Apache whiz you are!

32. Dudditz ~

    loving it…
    Word of caution to those who host at GoDaddy.
    I found that they process new htaccess files and edits only once per hour
    which requires a serious wait time.
    Needless to say, I will be seeking a new host.

33. JTPratt ~

    awesome bunch of htaccess hacks – they work like a charm.

    my main problem is other blog link directly to my pics sometimes, like www.site.com/wp-content/images/mypic.jpg and such.

    Since this isn’t inclusion in their posts or pages it gets by the hotlinking filter. I mean, the referrer is my own domain, cause it comes up in a window from my site…but I don’t want people to see images like this directly (not in the context of a post or a page).

    How do I stop this?

    any help appreciated!

34. Dieter ~

    Have tried most of the setings with a live site and the rewrite stuff works so far on Apache 1.3.33 and Apache 2.2.xx.

    This never worked for me. I’ve tried it with all kinds of proxies, but no blocking at all.

    RewriteEngine On
    RewriteCond %{HTTP:VIA}                 !^$ [OR]
    RewriteCond %{HTTP:FORWARDED}           !^$ [OR]
    RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]
    RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]
    RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]
    RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]
    RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
    RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$
    RewriteRule ^(.*)$ - [F]
    

    This:

    RewriteCond %{REQUEST_METHOD} =POST
    RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
    RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
    RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
    RewriteRule .* - [F,NS,L]
    

    ends up in a 404. I for myself would say this is not a good solution. Personally i use a php script to block proxies and WHAT I THINK IS VWERY IMPORTANT the tor network.

    This:

    #Protect wp-content
    #Denies any Direct request for files ending in .php with a 403 Forbidden.. May break plugins/themes
    #RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-content/.*$ [NC]
    #RewriteCond %{REQUEST_FILENAME} !^.+flexible-upload-wp25js.php$
    #RewriteCond %{REQUEST_FILENAME} ^.+\.(php|html|htm|txt)$
    #RewriteRule .* - [F,NS,L]
    

    stops firestats working and i know a lot of people prefer firestats over google analytics.

    Sorry for asking, but for what is this ugly peace of rewrite:

    RewriteCond %{REQUEST_METHOD} =POST
    RewriteCond %{HTTP_USER_AGENT} ^.*(opera|mozilla|firefox|msie|safari).*$ [NC]
    RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.+/trackback/?\ HTTP/ [NC]
    RewriteRule .* - [F,NS,L]
    

    I use something like this:

    RewriteRule ^wp-trackback\.php.*$ - [F,L]
    

    -Dieter

35. Falcon1986 ~

    Thanks for posting the actual code that goes into the .htaccess file! Yesterday morning I implemented a few of the edits and my site was working just fine. However, upon revisiting my site in the afternoon I got an immediate 500 Internal Server error. I thought this was strange because the site was working fine after I applied the edits to my .htaccess file. My web host’s tech support had to go in and reset my .htaccess file for me to regain access. Now, I apply each of your edits one at a time before proceeding to the next so I can isolate the exact entry that causes the problem.

    Keep up the good work!

36. AskApache ~

    @ Marco

    Great idea, I’m working on it..

    @ Grant

    Yes you are right I apologize for the inconvenience, I have to reconfigure all my settings every upgrade as well. Until the code becomes more stable i.e. future-proofed I’m not going to implement that. Look for that feature in 4.5 in a week or 2.

    Also, as annoying as it may be to have to set everything up each upgrade, realize that each time you go through the settings you are actually learning a little bit more about what this plugin does and puts you more in control of your sites security.

37. Grant Barrett ~

    Every time I update the plugin, all my previous settings are wiped out. Is there a way to keep them? It forces me to redo my htaccess user/pass setting, as well as re-tick all the check boxes in the AA configuration page.

38. Marco ~

    Sounds great,

    could you please post a .htaccess example file generated by the plugin its maybe usefull for other CMS systems too.

    would be great.

    regards

39. jardel ~

    good!
    i wouldn’t use it due to some limitations, like user enabled wordpress andusing subdirectories and subdomains for some other things

    Your list of bad robots to block in htaccess resolves everything for me
    dude, my akismet doesn’t have spam for months!

Go for it!

Similar Reads

• New Version of Password Protection Plugin
• Adding Akismet Anti-Spam Protection Anywhere
• WordPress RewriteRules Viewer
• WordPress What Is This Plugin
• Update: AskApache Password Protect Plugin
• Updated: WordPress RewriteRules Viewer Plugin
• Crazy Cache WordPress Plugin Released
• AskApache Password Protection, For WordPress
• AskApache Debug Viewer Plugin for WordPress
• Log all .htaccess/.htpasswd logins
• Hack WP-Cache for Maximum Speed

• Feed for this Entry
• Trackback
• htaccess ssl

Tags: .htaccess plugin, 301 Redirect, 401, 403 Forbidden, admin, Advanced, Anti-Spam, Apache, askapache, ASP, Cache, Cookies, CSS, Dig, Email, errordocument, feed, FilesMatch, Firefox, GET, Hacking, hotlinking, Htaccess, htaccess files, htaccess rewrite, htaccess tricks, Htpasswd, HTTP Headers, httpd, HTTPS SSL, Login, mod_include, Mod_Rewrite, Mod_Security, Mod_Setenvif, password, PDF, PHP, Port, post, Redirect, Request Method, Rewrite Tricks, rewritecond, rewriterule, Security, server, servers, SetEnvIf, Source Code, SSI, stat, SymLinks, trick, WordPress,