.htaccess Plugin Blocks Spam, Hackers, and Password Protects Blog

Sponsors

• Internet Domain Registration
• Apache Admin Group

Someone's Reading

• .htaccess Plugin Blocks Spam, Hackers, and Password Protects Blog
• .htaccess trick to show Alternate CSS file based on IP
• SEO Secrets of AskApache Part 2
• Serve External Javascript Files locally for Increased Speed
• COMPUTER SECURITY TOOLBOX
• Mod_Rewrite Variables Cheatsheet
• Online Tool compares Packer, JSMin, Dojo, and YUI Compressor
• New Version of Password Protection Plugin
• Pimp out your FeedBurner Count
• Notes from Apache HTTPD Source Code
• Elite Log File Scrolling with Color Syntax
• Preloading .flv and .mp3 files with Flash

Related Articles

• New Version of Password Protection Plugin
• Updated: WordPress RewriteRules Viewer Plugin

Most Popular 100

• Abbr and Acronym examples
• Speed Up Sites with htaccess Caching
• Undetectable Sniffing On Ethernet
• SEO with Robots.txt
• Custom PHP.ini tips and tricks
• htaccess rewrite, htaccess
• Sending POST form data with php CURL
• HTTP Status Codes and .htaccess ErrorDocuments
• .Htaccess rewrites, Mod_Rewrite Tricks and Tips

Newest Posts

• The Final Countdown – Mario Bros Style
• Make Windows XP Blazingly Fast
• Student under Criminal Investigation for Allegedly Sending Email

Random

• Search Engine Verify Plugin Updated
• Security with Apache htaccess Tutorial

The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect. Tim Berners-Lee

Reader Comments

1. Signatur says:

   05/29/2009 at 8:20 PM

   hi there,
   this plugin seems really good :)
   However, when i installed it and tested it i got
   the message that my server doesnt support authentication digest.

   is there anything i can do to change this?
   best , sarah
   Norway
2. Phil v. Sassen says:

   04/13/2009 at 9:05 PM

   Hi, I am not able to use your plugin. The initial test fails. The result for “/wp-admin/.htaccess file writable” is shown twice. One time with a red status and one time with a green status. How could this be?

   Best regards from Berlin – Germany, Phil

   PS:

   File Permission Tests
    
   If any of these checks fail this plugin will not work. Both your /.htaccess and /wp-admin/.htaccess files must be writable for this plugin, those are the only 2 files this plugin absolutely must be able to modify. If any of the other checks fail you will need to manually create a folder named askapache in your /wp-content/ folder and make it writable.
    
   [ ] /wp-admin/.htaccess file writable
   [ ] /wp-admin/.htaccess file writable
   [ ] /kunden/sassen.org/.htpasswda3 file writable
   [ ] Creating test folder
   [ ] Test folder writable
   [ ] Basic Auth htpasswd file writable
   [ ] Digest Auth htpasswd file writable
   [ ] .htaccess test file writable
3. Advanced Htaccess - SSI, ErrorDocuments, DirectoryIndexing SEO says:

   03/09/2009 at 4:03 AM

   [...] you are using some nice .htaccess rewrite rules to block offending bots, web scrapers, and other nefarious net characters. Instead of just [...]
4. AskApache says:

   03/08/2009 at 5:25 AM

   @fuzion

   Ya 2 things, first I have been swamped with work for the past like year, crazy swamped. But also I just learned how to write php classes and so I’ve been honing that skill (see the updated Google 404 Plugin) and getting a feel for it.

   Rest assured I’m still working on it, I just have to make sure it’s as good as I am telling you it is ;)
5. fuzion says:

   03/08/2009 at 1:13 AM

   So, how’s this coming along? I haven’t seen any new posts from you in a while… hope everything’s ok :)
6. AskApache says:

   03/05/2009 at 10:50 AM

   @claire

   The way he is accessing your website is the same way I would if I were to go visit. The difference is that he is doing it programmatically using some php file. The file could simply request the real page from your server masquerading as a normal request, and then he mirrors the download back off his server like a reverse proxy..

   This is a tough question as I’ve always been able to shut people down who tried doing it to me.. I did exactly what you did, I isolated his address by looking for time-correlations between the data they had and my servers access logs, blocked their whole country for a few weeks, and immediately told google about it.

   As long as Google and other companies know that they are still from you and you are legit, then something like this happening might actually help you in terms of SEO. Googlel really hates these people, so does everyone.

   The way I try to answer fun questions like this is I think about how easy it would be for me to steal your site and how much fun itd be to continue stealing your site no matter how much you tried to block me. And usually when I do that I think of a solution that would successfully stop me, but in this case I don’t know if I could stop me.. Very intriguing question I hope someone else can be more helpful.

   P.S. You could always post some identifying information about this person, IP or otherwise, some anonymous person might read about this and decide to help this person have a change of heart.
7. AskApache says:

   03/05/2009 at 10:30 AM

   @buys

   I haven’t stopped. I learned how to program sockets, learned how to program with classes and objects, and now my code won’t be so darn ugly.. its not always a good thing to code like a hacker, as in trying to develop this thing.

   So the end result is that is is one very very serious program, maybe even good enough to become standard with wordpress releases.. we’ll see. (I have several clients pushing me to death on other projects at the momemt.. so hopefully no later than 2 months?) ahh! When did it all slip away? 2 months???
8. Claire The Unclever says:

   03/04/2009 at 9:54 PM

   My website is being broadcast in a frame using some kind of script. The jerk doing this accessed it somehow through an archive I reposted.

   I found out the IP address (it’s in England). I blocked the IP from my host, but that didn’t work. I at least changed the contents of the post the site is broadcasting and I contacted Google ads to let them know the site is plagiarizing.

   I am only savvy enough to add graphics. Will this plug-in help remedy this particular problem? This is the second time my site has been cloned or redirected. The first time the host took the site down ASAP. This time, I have had no response.

   If you have any suggestions, I would greatly appreciate them.

   The site that is stealing from me is:

   http://tv.
   const
   anata
   .com/open.php?url=http://www.kneedeepinthehooah.com/2009/03/03/talkin-bout-my-generation/&title=Talkin019%20019bout%20my%20generation%20-%20Knee%20Deep%20in%20the%20Hooah!
9. johny says:

   03/04/2009 at 1:46 PM

   my web host tells me the following WP 2.71 core files and variables are a security risk, for exploits:

   index.php      $_SERVER[DOCUMENT_ROOT],page
   errors.php     $error

   what can be done?
10. LIA says:

    02/28/2009 at 5:46 PM

    Hey, i uploaded the plugin to my blog, filled in the name and password and suddenly i cannot access my blog!!!!!
    An error message appears:

    Internal Server Error 500

    Please help me, I’m desperate!
11. FIRE Finance says:

    01/28/2009 at 11:40 PM

    @Falcon
    Thanks for your tip. We too had lost access to our site. Resetting the .htaccess brought the site back.
12. Balisugar says:

    01/16/2009 at 7:53 AM

    I need help. I think I have many SQL injections with strange url’s like:

    mysite. com/"http:/www.mysite.com/category/uncategorized/
    mysite. com/page/2/?url=spammers.we.bs%252Ftest.txt%253F%253F%253F
    mysite. com/2008/04/world-wide-food-crisis/\\

    I’ve tried to use: Denies any request for a url containing characters other than "a-zA-Z0-9.+/-?=&

    RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
    RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [A-Z0-9\.\+_/\-\?\=\&\%\#]+\ HTTP/ [NC]
    RewriteRule .* - [F,NS,L]

    It seems to help forbidding strange url’s, but I’m not sure about “may break your site depending on your links”
    What does that mean? I used that code in my .htaccess file for about a week but took it off because I felt that my links and my site in Google SERP were slowly decreasing.
    My question: Is that the effect or that code doesn’t affect incoming links?

    Also, I still can’t fix an injection like:

    mysite. com/?ref=www.spammers-www.spammers.com-www.spammers.com

    I read some article advising the blocking of bad query strings like this:

     RewriteCond %{QUERY_STRING} ftp\:   [NC,OR]
     RewriteCond %{QUERY_STRING} http\:  [NC,OR]
     RewriteCond %{QUERY_STRING} https\: [NC]
     RewriteRule .* -                    [F,L]

    But the next morning, I found a lot more strange url’s similar to those above. What can I do about this? I’m newbie with .htaccess. I don’t really know which one is the right one for my site.
    Thanks.
13. buys says:

    01/11/2009 at 12:16 PM

    Hi,

    Are you still working on this plugin? (AAPP v4.7)

    Thanks
14. Mike says:

    12/30/2008 at 10:49 AM

    I have very little understanding of PHP, and many of the terms you use are like a foreign language to me. I do understand though that you are making great leaps forward and things are going well for you! Keep up the great work, and good luck with future releases!
15. Miguel says:

    12/22/2008 at 2:13 AM

    It was a db backup plugin who blocked me… it wasnt the .htaccess
16. AskApache says:

    11/22/2008 at 11:13 PM

    @ nukeit

    Thanks for the props, but it really wasn’t as hard as it may sound. I just hacked together a bash shell script that downloaded each version, unpacked it, and also installed/built them, all autopilot baby. Because apache is open-source like wordpress, it was amazingly easy (since I know bash intimately). All I had to do was read the release notes for each version, (which took a few hours but was fascinating) then customize the configurations and ran the script. The hard part was definately in finding each module and each directive allowed in .htaccess files. And the plugin is of course the hardest part cuz I’m not a php wizard by any stretch, and using php to control and test apache through .htaccess files in combination with socket networking to enumerate modules, directives, and other apache capabilities has never been done before, by any proggramming language.
17. nukeit says:

    11/22/2008 at 9:23 PM

    I can’t believe you compiled 50+ (rough count) versions of Apache! Thanks for your hard work on this great (and soon to be better) plugin. The WP community owes you a debt of gratitude for your excellent work.
18. Rei says:

    11/19/2008 at 2:12 AM

    This is a very good plugin!!

    I’ll test this on my test site first.

    Oh btw if you are reading this.

    Make a plugin or so to protect the upload folder.(Which is set by default by wordpress as wp-content/uploads)

    Hacker are attempting hack my website with .htaccess files.

    AddHandler cgi-script .php .pp

    I chmod folder to 755 so i can remove all those hacker stuff.

    Chmodding the upload folder to 777 was a bad idea.The hack thingy won’t go away lol.

    You could email me if you want to see the .htaccess, .pp and the php file.
19. Mike says:

    11/10/2008 at 4:03 PM

    Hey, Thanks for this RAD plug-in. I am, however, having a little trouble getting it running. It may be that I am using WP v 2.6.3, but I keep getting an errors that my htpass and htacc are not readable or writeable. I’ve given them the proper permissions, and the self-diag even gives me greens, but I still get the errors when I’m doing pass protect or trying to add modules. Any help or thoughts would be greatly appreciated. Thanks.
20. AF says:

    11/09/2008 at 2:55 AM

    These seem like some very important modifications although I am worried about having some plugins defaulting as a result.
21. icubyx says:

    09/22/2008 at 12:15 AM

    Hi,
    I have been searching for something like this since a client’s site got hacked. Works like a charm – not bot attacks anymore. But now my problem is getting in. The login / password as I remember entering it, won’t let me in. I tried to find the htaccess file through ftp, but can’t find it anywhere…What can I do to login or recover the password?
    Thanks
22. Dan Nedelko says:

    09/18/2008 at 12:58 PM

    Hey there,

    I ran the tests and my server config failed so I couldn’t use it, but it looks like the site is delivering the following URL’s:

    /category/breaking-news/?nomo=true

    Which are not rewriting anything causing HTTP errors. Any advice on correcting this? Hope that’s a decent amount of information, I’m not the Apache whiz you are!
23. Dudditz says:

    08/23/2008 at 1:14 PM

    loving it…
    Word of caution to those who host at GoDaddy.
    I found that they process new htaccess files and edits only once per hour
    which requires a serious wait time.
    Needless to say, I will be seeking a new host.
24. JTPratt says:

    08/21/2008 at 8:04 PM

    awesome bunch of htaccess hacks – they work like a charm.

    my main problem is other blog link directly to my pics sometimes, like http://www.site.com/wp-content/images/mypic.jpg and such.

    Since this isn’t inclusion in their posts or pages it gets by the hotlinking filter. I mean, the referrer is my own domain, cause it comes up in a window from my site…but I don’t want people to see images like this directly (not in the context of a post or a page).

    How do I stop this?

    any help appreciated!
25. Dieter says:

    08/03/2008 at 5:52 PM

    Have tried most of the setings with a live site and the rewrite stuff works so far on Apache 1.3.33 and Apache 2.2.xx.

    This never worked for me. I’ve tried it with all kinds of proxies, but no blocking at all.

    RewriteEngine On
    RewriteCond %{HTTP:VIA}                 !^$ [OR]
    RewriteCond %{HTTP:FORWARDED}           !^$ [OR]
    RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]
    RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]
    RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]
    RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]
    RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
    RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$
    RewriteRule ^(.*)$ - [F]

    This:

    RewriteCond %{REQUEST_METHOD} =POST
    RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
    RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
    RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
    RewriteRule .* - [F,NS,L]

    ends up in a 404. I for myself would say this is not a good solution. Personally i use a php script to block proxies and WHAT I THINK IS VWERY IMPORTANT the tor network.

    This:

    #Protect wp-content
    #Denies any Direct request for files ending in .php with a 403 Forbidden.. May break plugins/themes
    #RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-content/.*$ [NC]
    #RewriteCond %{REQUEST_FILENAME} !^.+flexible-upload-wp25js.php$
    #RewriteCond %{REQUEST_FILENAME} ^.+\.(php|html|htm|txt)$
    #RewriteRule .* - [F,NS,L]

    stops firestats working and i know a lot of people prefer firestats over google analytics.

    Sorry for asking, but for what is this ugly peace of rewrite:

    RewriteCond %{REQUEST_METHOD} =POST
    RewriteCond %{HTTP_USER_AGENT} ^.*(opera|mozilla|firefox|msie|safari).*$ [NC]
    RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.+/trackback/?\ HTTP/ [NC]
    RewriteRule .* - [F,NS,L]

    I use something like this:

    RewriteRule ^wp-trackback\.php.*$ - [F,L]

    -Dieter
26. Falcon1986 says:

    07/12/2008 at 10:35 AM

    Thanks for posting the actual code that goes into the .htaccess file! Yesterday morning I implemented a few of the edits and my site was working just fine. However, upon revisiting my site in the afternoon I got an immediate 500 Internal Server error. I thought this was strange because the site was working fine after I applied the edits to my .htaccess file. My web host’s tech support had to go in and reset my .htaccess file for me to regain access. Now, I apply each of your edits one at a time before proceeding to the next so I can isolate the exact entry that causes the problem.

    Keep up the good work!
27. AskApache says:

    07/11/2008 at 6:02 PM

    @ Marco

    Great idea, I’m working on it..

    @ Grant

    Yes you are right I apologize for the inconvenience, I have to reconfigure all my settings every upgrade as well. Until the code becomes more stable i.e. future-proofed I’m not going to implement that. Look for that feature in 4.5 in a week or 2.

    Also, as annoying as it may be to have to set everything up each upgrade, realize that each time you go through the settings you are actually learning a little bit more about what this plugin does and puts you more in control of your sites security.
28. Grant Barrett says:

    07/10/2008 at 9:53 AM

    Every time I update the plugin, all my previous settings are wiped out. Is there a way to keep them? It forces me to redo my htaccess user/pass setting, as well as re-tick all the check boxes in the AA configuration page.
29. Marco says:

    07/07/2008 at 3:36 AM

    Sounds great,

    could you please post a .htaccess example file generated by the plugin its maybe usefull for other CMS systems too.

    would be great.

    regards
30. jardel says:

    07/06/2008 at 10:15 PM

    good!
    i wouldn’t use it due to some limitations, like user enabled wordpress andusing subdirectories and subdomains for some other things

    Your list of bad robots to block in htaccess resolves everything for me
    dude, my akismet doesn’t have spam for months!

RSS feed for comments on this post.TrackBack URL

Add Your Opinion