FREE THOUGHT · FREE SOFTWARE · FREE WORLD

Home  »  WordPress  »  .htaccess Plugin Blocks Spam, Hackers, and Password Protects Blog

by 43 comments

.htaccess security plugin 2

Well what can I say, other than this is sooo DOPE! Here is a list of the modules this plugin (version 4.7 unreleased) will automatically detect. I compiled the list myself using every module included with any default Apache installation for ALL the versions listed below, 1.3 to 2.2+

Want to know something else I'm including in this plugin? For each and every module that is detected, this plugin can then detect ALL of the modules .htaccess Directives! For instance, RewriteRule, AccessFileName, AddHandler, etc.. are each a directive belonging to a module that is allowed to be used from within .htaccess files.

Talk about sick.. these tricks have the diamond disease!

Screenshot Unreleased 4.7

I've been making a lot of progress as these screenshots illustrate, including the ability to detect 100% accurately the modules that are enabled on your server. Big deal! you might say... "How does knowing the modules help?"

Well it just so happens that in addition to detecting which modules are loaded on your server, this plugin will also detect which Directives are enabled for each module that are allowed to be used from within your .htaccess file! Future release will provide the ability to explore the different .htaccess directives allowed by your server, so you can do all sorts of cool Apache .htaccess tricks to secure your blog and make it run better.

.htaccess security plugin 1
.htaccess security plugin 3
.htaccess security plugin 4

Apache Module Detection

Future releases of this plugin will also let you search for non-default modules, wild, beta, and others.

  • mod_access
  • mod_actions
  • mod_alias
  • mod_asis
  • mod_auth
  • mod_auth_anon
  • mod_auth_basic
  • mod_auth_dbm
  • mod_auth_digest
  • mod_auth_ldap
  • mod_authn_alias
  • mod_authn_anon
  • mod_authn_dbd
  • mod_authn_dbm
  • mod_authn_default
  • mod_authn_file
  • mod_authnz_ldap
  • mod_authz_dbm
  • mod_authz_default
  • mod_authz_groupfile
  • mod_authz_host
  • mod_authz_owner
  • mod_authz_user
  • mod_autoindex
  • mod_bucketeer
  • mod_cache
  • mod_case_filter
  • mod_case_filter_in
  • mod_cern_meta
  • mod_cgi
  • mod_cgid
  • mod_charset_lite
  • mod_dav
  • mod_dav_fs
  • mod_dav_lock
  • mod_dbd
  • mod_deflate
  • mod_dir
  • mod_disk_cache
  • mod_dumpio
  • mod_echo
  • mod_env
  • mod_example
  • mod_expires
  • mod_ext_filter
  • mod_file_cache
  • mod_filter
  • mod_headers
  • mod_ident
  • mod_imagemap
  • mod_imap
  • mod_include
  • mod_info
  • mod_isapi
  • mod_log_config
  • mod_log_forensic
  • mod_logio
  • mod_mem_cache
  • mod_mime
  • mod_mime_magic
  • mod_mycore
  • mod_negotiation
  • mod_netware
  • mod_nw_ssl
  • mod_optional_fn_export
  • mod_optional_fn_import
  • mod_optional_hook_export
  • mod_optional_hook_import
  • mod_proxy
  • mod_proxy_ajp
  • mod_proxy_balancer
  • mod_proxy_connect
  • mod_proxy_ftp
  • mod_proxy_http
  • mod_rewrite
  • mod_security
  • mod_setenvif
  • mod_so
  • mod_speling
  • mod_ssl
  • mod_status
  • mod_substitute
  • mod_suexec
  • mod_test
  • mod_unique_id
  • mod_userdir
  • mod_usertrack
  • mod_version
  • mod_vhost_alias
  • mod_win32

The original plugin page and description can be found here.

UPDATE: 11/22/08

To make a long story short, I downloaded each major release of the apache httpd source code from version 1.3.0 to version 2.2.10, then I configured and compiled each for a custom HTTPD installation built from source. This allowed me to find every directive allowed in .htaccess files for each particular version. YES!

http://wordpress.org/support/rss/topic/214390
I've been working on a completely improved version on/off for about a month with the specific goal of finally ending all the little errors that can crop up when dealing with .htaccess.To that effect I am succeeding marvelously, first I've converted the plugin to a class (4+5 compat), I've replaced my error_handling with WordPress's WP_Error class, and the coolest change is the new tests I've added.To make a long story short, I downloaded each major release of the apache httpd source code starting at version 1.3.0 and finishing with version 2.2.10, I then compiled each version and built a HTTPD from source for all the apache versions.1.3.0, 1.3.1, 1.3.11, 1.3.12, 1.3.14, 1.3.17, 1.3.19, 1.3.2, 1.3.20, 1.3.22, 1.3.23, 1.3.24, 1.3.27, 1.3.28, 1.3.29, 1.3.3, 1.3.31, 1.3.32, 1.3.33, 1.3.34, 1.3.35, 1.3.36, 1.3.37, 1.3.39, 1.3.4, 1.3.41, 1.3.6, 1.3.9, 2.0.35, 2.0.36, 2.0.39, 2.0.40, 2.0.42, 2.0.43, 2.0.44, 2.0.45, 2.0.46, 2.0.47, 2.0.48, 2.0.49, 2.0.50, 2.0.51, 2.0.52, 2.0.53, 2.0.54, 2.0.55, 2.0.58, 2.0.59, 2.0.61, 2.0.63, 2.1.3-beta, 2.1.6-alpha, 2.1.7-beta, 2.1.8-beta, 2.1.9-beta, 2.2.0, 2.2.10, 2.2.2, 2.2.3, 2.2.4, 2.2.6, 2.2.8, 2.2.9Then I went through each version and determined the compatible modules for that version, and I'm pretty confident that I was also able to find each and every directive allowed by the compatible modules for that version (including core directives). See .htaccess directive list.Basically I can now test a server using a variety of methods and determine almost 100% accurately what version of Apache (down to the API) is running, what modules (and versions) are enabled, and each and every directive that is allowed or disallowed for that version.So this is so awesome because now we can enable all sorts of additional security features.Other big changes are:
  • Completely hands-off updates, so that updating the plugin keeps all your settings.
  • making each SID module have its own configuration and options (like protecting individual files, individual request, and custom exploit strings).
  • Advanced ErrorDocument usage and handling (like tracking repeat offenders and suggesting they be blocked, emailing admin with custom info, etc..)
  • Multi User/Group password Control
And this time I am developing the plugin using a plethora of wordpress installations and configurations, to make sure that it will work regardless of a custom siteurl, blogid, etc..Release will come before 2009.. I have some vacations to take and business to finish first.

.htaccess Security Modules

Directory Protection

Enable the DirectoryIndex Protection, preventing directory index listings and defaulting. [Disable]

Options -Indexes
DirectoryIndex index.html index.php /index.php

Password Protect wp-login.php

Requires a valid user/pass to access the login page - *** Safe, Use [401]


Order Deny,Allow
Deny from All
Satisfy Any

AuthName "Protected By AskApache"
AuthUserFile /web/askapache.com/.htpasswda1
AuthType Basic
Require valid-user

Password Protect wp-admin

Requires a valid user/pass to access any non-static (css, js, images) file in this directory. - *** Safe, Use [401]

Options -ExecCGI -Indexes +FollowSymLinks -Includes
DirectoryIndex index.php /index.php

Order Deny,Allow

Deny from All
Satisfy Any

AuthName "Protected By AskApache"
AuthUserFile /web/askapache.com/.htpasswda1
AuthType Basic
Require valid-user


Allow from All




SecFilterEngine Off

Allow from All

Protect wp-content

Denies any Direct request for files ending in .php with a 403 Forbidden.. May break plugins/themes [401]

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-content/.*$ [NC]
RewriteCond %{REQUEST_FILENAME} !^.+flexible-upload-wp25js\.php$
RewriteCond %{REQUEST_FILENAME} ^.+\.(php|html|htm|txt)$
RewriteRule .* - [F,NS,L]

Protect wp-includes

Denies any Direct request for files ending in .php with a 403 Forbidden.. May break plugins/themes [403]

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-includes/.*$ [NC]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ /wp-includes/js/.+/.+ HTTP/ [NC]
RewriteCond %{REQUEST_FILENAME} ^.+\.php$
RewriteRule .* - [F,NS,L]

Common Exploits

Block common exploit requests with 403 Forbidden. These can help alot, may break some plugins. [403]

RewriteCond %{REQUEST_URI} !^/(wp-login\.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ ///.* HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*?=?(http|ftp|ssl|https):/.* HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*??.* HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(asp|ini|dll).* HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(htpasswd|htaccess|aahtpasswd).* HTTP/ [NC]
RewriteRule .* - [F,NS,L]

Stop Hotlinking

Denies any request for static files (images, css, etc) if referrer is not local site or empty. [403]

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login\.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{HTTP_REFERER} !^http://www\.askapache\.com.*$ [NC]
RewriteRule \.(ico|pdf|flv|jpg|jpeg|mp3|mpg|mp4|mov|wav|wmv|png|gif|swf|css|js)$ - [F,NS,L]

Safe Request Methods

Denies any request not using GET,PROPFIND,POST,OPTIONS,PUT,HEAD - *** Safe, Use [403]

RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|PROPFIND|OPTIONS|PUT)$ [NC]
RewriteRule .* - [F,NS,L]

Forbid Proxies

Denies any POST Request using a Proxy Server. Can still access site, but not comment. See Perishable Press [403]

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login\.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]

Real wp-comments-post.php

Denies any POST attempt made to a non-existing wp-comments-post.php - *** Safe, Use [403]

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.* HTTP/ [NC]
RewriteRule .* - [F,NS,L]

HTTP PROTOCOL

Denies any badly formed HTTP PROTOCOL in the request, 0.9, 1.0, and 1.1 only - *** Safe, Use [403]

RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ .+ HTTP/(0\.9|1\.0|1\.1) [NC]
RewriteRule .* - [F,NS,L]

SPECIFY CHARACTERS

Denies any request for a url containing characters other than "a-zA-Z0-9.+/-?=&" - REALLY helps but may break your site depending on your links. [403]

RewriteCond %{REQUEST_URI} !^/(wp-login\.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [a-zA-Z0-9\.+_/-?=&]+ HTTP/ [NC]
RewriteRule .* - [F,NS,L]

BAD Content Length

Denies any POST request that doesnt have a Content-Length Header - *** Safe, Use [403]

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Length} ^$
RewriteCond %{REQUEST_URI} !^/(wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]

BAD Content Type

Denies any POST request with a content type other than application/x-www-form-urlencoded|multipart/form-data - *** Safe, Use [403]

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Type} !^(application/x-www-form-urlencoded|multipart/form-data.*(boundary.*)?)$ [NC]
RewriteCond %{REQUEST_URI} !^/(wp-login\.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]

Directory Traversal

Denies Requests containing ../ or ./. which is a directory traversal exploit attempt - *** Safe, Use [403]

PHPSESSID Cookie

Only blocks when a PHPSESSID cookie is sent by the user and it contains characters other than 0-9a-z - *** Safe, Use [403]

NO HOST:

Denies requests that dont contain a HTTP HOST Header. - *** Safe, Use [403]

RewriteCond %{REQUEST_URI} !^/(wp-login\.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{HTTP_HOST} ^$
RewriteRule .* - [F,NS,L]

Bogus Graphics Exploit

Denies obvious exploit using bogus graphics - *** Safe, Use [403]

RewriteCond %{HTTP:Content-Disposition} \.php [NC]
RewriteCond %{HTTP:Content-Type} image/.+ [NC]
RewriteRule .* - [F,NS,L]

No UserAgent, No Post

Denies POST requests by blank user-agents. May prevent a small number of visitors from POSTING. [403]

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteCond %{REQUEST_URI} !^/(wp-login\.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]

No Referer, No Comment

Denies any comment attempt with a blank HTTP_REFERER field, highly indicative of spam. May prevent some visitors from POSTING. [403]

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.* HTTP/ [NC]
RewriteCond %{HTTP_REFERER} ^-?$
RewriteRule .* - [F,NS,L]

Trackback Spam

Denies obvious trackback spam. See Holy Shmoly! [403]

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_USER_AGENT} ^.*(opera|mozilla|firefox|msie|safari).*$ [NC]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.+/trackback/? HTTP/ [NC]
RewriteRule .* - [F,NS,L]

SSL-Only Site

Redirects all non-SSL (https) requests to your https-enabled url [301]

Anti-Spam, Anti-Exploits

Denies Obvious Spam and uses advanced mod_security protection [Read More]

.htaccess Security Module Screenshot

Tags

November 22nd, 2008

Comments Welcome

  • jardel

    good!
    i wouldn't use it due to some limitations, like user enabled wordpress andusing subdirectories and subdomains for some other things

    Your list of bad robots to block in htaccess resolves everything for me
    dude, my akismet doesn't have spam for months!

  • Marco

    Sounds great,

    could you please post a .htaccess example file generated by the plugin its maybe usefull for other CMS systems too.

    would be great.

    regards

  • Grant Barrett

    Every time I update the plugin, all my previous settings are wiped out. Is there a way to keep them? It forces me to redo my htaccess user/pass setting, as well as re-tick all the check boxes in the AA configuration page.

  • AskApache

    @ Marco

    Great idea, I'm working on it..

    @ Grant

    Yes you are right I apologize for the inconvenience, I have to reconfigure all my settings every upgrade as well. Until the code becomes more stable i.e. future-proofed I'm not going to implement that. Look for that feature in 4.5 in a week or 2.

    Also, as annoying as it may be to have to set everything up each upgrade, realize that each time you go through the settings you are actually learning a little bit more about what this plugin does and puts you more in control of your sites security.

  • Falcon1986

    Thanks for posting the actual code that goes into the .htaccess file! Yesterday morning I implemented a few of the edits and my site was working just fine. However, upon revisiting my site in the afternoon I got an immediate 500 Internal Server error. I thought this was strange because the site was working fine after I applied the edits to my .htaccess file. My web host's tech support had to go in and reset my .htaccess file for me to regain access. Now, I apply each of your edits one at a time before proceeding to the next so I can isolate the exact entry that causes the problem.

    Keep up the good work!

  • Dieter

    Have tried most of the setings with a live site and the rewrite stuff works so far on Apache 1.3.33 and Apache 2.2.xx.

    This never worked for me. I've tried it with all kinds of proxies, but no blocking at all.

    RewriteEngine On
    RewriteCond %{HTTP:VIA}                 !^$ [OR]
    RewriteCond %{HTTP:FORWARDED}           !^$ [OR]
    RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]
    RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]
    RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]
    RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]
    RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
    RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$
    RewriteRule ^(.*)$ - [F]

    This:

    RewriteCond %{REQUEST_METHOD} =POST
    RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
    RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
    RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
    RewriteRule .* - [F,NS,L]

    ends up in a 404. I for myself would say this is not a good solution. Personally i use a php script to block proxies and WHAT I THINK IS VWERY IMPORTANT the tor network.

    This:

    #Protect wp-content
    #Denies any Direct request for files ending in .php with a 403 Forbidden.. May break plugins/themes
    #RewriteCond %{THE_REQUEST} ^[A-Z]{3,9} /wp-content/.*$ [NC]
    #RewriteCond %{REQUEST_FILENAME} !^.+flexible-upload-wp25js.php$
    #RewriteCond %{REQUEST_FILENAME} ^.+.(php|html|htm|txt)$
    #RewriteRule .* - [F,NS,L]

    stops firestats working and i know a lot of people prefer firestats over google analytics.

    Sorry for asking, but for what is this ugly peace of rewrite:

    RewriteCond %{REQUEST_METHOD} =POST
    RewriteCond %{HTTP_USER_AGENT} ^.*(opera|mozilla|firefox|msie|safari).*$ [NC]
    RewriteCond %{THE_REQUEST} ^[A-Z]{3,9} /.+/trackback/? HTTP/ [NC]
    RewriteRule .* - [F,NS,L]

    I use something like this:

    RewriteRule ^wp-trackback.php.*$ - [F,L]

    -Dieter

  • JTPratt

    awesome bunch of htaccess hacks - they work like a charm.

    my main problem is other blog link directly to my pics sometimes, like www.site.com/wp-content/images/mypic.jpg and such.

    Since this isn't inclusion in their posts or pages it gets by the hotlinking filter. I mean, the referrer is my own domain, cause it comes up in a window from my site...but I don't want people to see images like this directly (not in the context of a post or a page).

    How do I stop this?

    any help appreciated!

    • icubyx

      Hi,
      I have been searching for something like this since a client's site got hacked. Works like a charm - not bot attacks anymore. But now my problem is getting in. The login / password as I remember entering it, won't let me in. I tried to find the htaccess file through ftp, but can't find it anywhere...What can I do to login or recover the password?
      Thanks

  • Dudditz

    loving it...
    Word of caution to those who host at GoDaddy.
    I found that they process new htaccess files and edits only once per hour
    which requires a serious wait time.
    Needless to say, I will be seeking a new host.

  • Dan Nedelko

    Hey there,

    I ran the tests and my server config failed so I couldn't use it, but it looks like the site is delivering the following URL's:

    /category/breaking-news/?nomo=true

    Which are not rewriting anything causing HTTP errors. Any advice on correcting this? Hope that's a decent amount of information, I'm not the Apache whiz you are!

  • AF

    These seem like some very important modifications although I am worried about having some plugins defaulting as a result.

  • Mike

    Hey, Thanks for this RAD plug-in. I am, however, having a little trouble getting it running. It may be that I am using WP v 2.6.3, but I keep getting an errors that my htpass and htacc are not readable or writeable. I've given them the proper permissions, and the self-diag even gives me greens, but I still get the errors when I'm doing pass protect or trying to add modules. Any help or thoughts would be greatly appreciated. Thanks.

  • Rei

    This is a very good plugin!!

    I'll test this on my test site first.

    Oh btw if you are reading this.

    Make a plugin or so to protect the upload folder.(Which is set by default by wordpress as wp-content/uploads)

    Hacker are attempting hack my website with .htaccess files.

    AddHandler cgi-script .php .pp

    I chmod folder to 755 so i can remove all those hacker stuff.

    Chmodding the upload folder to 777 was a bad idea.The hack thingy won't go away lol.

    You could email me if you want to see the .htaccess, .pp and the php file.

  • nukeit

    I can't believe you compiled 50+ (rough count) versions of Apache! Thanks for your hard work on this great (and soon to be better) plugin. The WP community owes you a debt of gratitude for your excellent work.

  • AskApache

    @ nukeit

    Thanks for the props, but it really wasn't as hard as it may sound. I just hacked together a bash shell script that downloaded each version, unpacked it, and also installed/built them, all autopilot baby. Because apache is open-source like wordpress, it was amazingly easy (since I know bash intimately). All I had to do was read the release notes for each version, (which took a few hours but was fascinating) then customize the configurations and ran the script. The hard part was definately in finding each module and each directive allowed in .htaccess files. And the plugin is of course the hardest part cuz I'm not a php wizard by any stretch, and using php to control and test apache through .htaccess files in combination with socket networking to enumerate modules, directives, and other apache capabilities has never been done before, by any proggramming language.

  • Miguel

    It was a db backup plugin who blocked me... it wasnt the .htaccess

  • Mike

    I have very little understanding of PHP, and many of the terms you use are like a foreign language to me. I do understand though that you are making great leaps forward and things are going well for you! Keep up the great work, and good luck with future releases!

  • buys

    Hi,

    Are you still working on this plugin? (AAPP v4.7)

    Thanks

  • Balisugar

    I need help. I think I have many SQL injections with strange url's like:

    mysite. com/"http:/www.mysite.com/category/uncategorized/
    mysite. com/page/2/?url=spammers.we.bs%252Ftest.txt%253F%253F%253F
    mysite. com/2008/04/world-wide-food-crisis/

    I've tried to use: Denies any request for a url containing characters other than "a-zA-Z0-9.+/-?=&

    RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
    RewriteCond %{THE_REQUEST} !^[A-Z]{3,9} [A-Z0-9.+_/-?=&%#]+ HTTP/ [NC]
    RewriteRule .* - [F,NS,L]

    It seems to help forbidding strange url's, but I'm not sure about "may break your site depending on your links"
    What does that mean? I used that code in my .htaccess file for about a week but took it off because I felt that my links and my site in Google SERP were slowly decreasing.
    My question: Is that the effect or that code doesn't affect incoming links?

    Also, I still can't fix an injection like:

    mysite. com/?ref=www.spammers-www.spammers.com-www.spammers.com

    I read some article advising the blocking of bad query strings like this:

     RewriteCond %{QUERY_STRING} ftp:   [NC,OR]
     RewriteCond %{QUERY_STRING} http:  [NC,OR]
     RewriteCond %{QUERY_STRING} https: [NC]
     RewriteRule .* -                    [F,L]

    But the next morning, I found a lot more strange url's similar to those above. What can I do about this? I'm newbie with .htaccess. I don't really know which one is the right one for my site.
    Thanks.

  • FIRE Finance

    @Falcon
    Thanks for your tip. We too had lost access to our site. Resetting the .htaccess brought the site back.

  • LIA

    Hey, i uploaded the plugin to my blog, filled in the name and password and suddenly i cannot access my blog!!!!!
    An error message appears:

    Internal Server Error 500

    Please help me, I'm desperate!

  • Claire The Unclever

    My website is being broadcast in a frame using some kind of script. The jerk doing this accessed it somehow through an archive I reposted.

    I found out the IP address (it's in England). I blocked the IP from my host, but that didn't work. I at least changed the contents of the post the site is broadcasting and I contacted Google ads to let them know the site is plagiarizing.

    I am only savvy enough to add graphics. Will this plug-in help remedy this particular problem? This is the second time my site has been cloned or redirected. The first time the host took the site down ASAP. This time, I have had no response.

    If you have any suggestions, I would greatly appreciate them.

    The site that is stealing from me is:

    http://tv.
    const
    anata
    .com/open.php?url=http://www.kneedeepinthehooah.com/2009/03/03/talkin-bout-my-generation/&title=Talkin019%20019bout%20my%20generation%20-%20Knee%20Deep%20in%20the%20Hooah!
  • AskApache

    @buys

    I haven't stopped. I learned how to program sockets, learned how to program with classes and objects, and now my code won't be so darn ugly.. its not always a good thing to code like a hacker, as in trying to develop this thing.

    So the end result is that is is one very very serious program, maybe even good enough to become standard with wordpress releases.. we'll see. (I have several clients pushing me to death on other projects at the momemt.. so hopefully no later than 2 months?) ahh! When did it all slip away? 2 months???

  • AskApache

    @claire

    The way he is accessing your website is the same way I would if I were to go visit. The difference is that he is doing it programmatically using some php file. The file could simply request the real page from your server masquerading as a normal request, and then he mirrors the download back off his server like a reverse proxy..

    This is a tough question as I've always been able to shut people down who tried doing it to me.. I did exactly what you did, I isolated his address by looking for time-correlations between the data they had and my servers access logs, blocked their whole country for a few weeks, and immediately told google about it.

    As long as Google and other companies know that they are still from you and you are legit, then something like this happening might actually help you in terms of SEO. Googlel really hates these people, so does everyone.

    The way I try to answer fun questions like this is I think about how easy it would be for me to steal your site and how much fun itd be to continue stealing your site no matter how much you tried to block me. And usually when I do that I think of a solution that would successfully stop me, but in this case I don't know if I could stop me.. Very intriguing question I hope someone else can be more helpful.

    P.S. You could always post some identifying information about this person, IP or otherwise, some anonymous person might read about this and decide to help this person have a change of heart.

  • fuzion

    So, how's this coming along? I haven't seen any new posts from you in a while... hope everything's ok :)

  • AskApache

    @fuzion

    Ya 2 things, first I have been swamped with work for the past like year, crazy swamped. But also I just learned how to write php classes and so I've been honing that skill (see the updated Google 404 Plugin) and getting a feel for it.

    Rest assured I'm still working on it, I just have to make sure it's as good as I am telling you it is ;)

  • Phil v. Sassen

    Hi, I am not able to use your plugin. The initial test fails. The result for "/wp-admin/.htaccess file writable" is shown twice. One time with a red status and one time with a green status. How could this be?

    Best regards from Berlin - Germany, Phil

    PS:

    File Permission Tests
     
    If any of these checks fail this plugin will not work. Both your /.htaccess and /wp-admin/.htaccess files must be writable for this plugin, those are the only 2 files this plugin absolutely must be able to modify. If any of the other checks fail you will need to manually create a folder named askapache in your /wp-content/ folder and make it writable.
     
    [ ] /wp-admin/.htaccess file writable
    [ ] /wp-admin/.htaccess file writable
    [ ] /kunden/sassen.org/.htpasswda3 file writable
    [ ] Creating test folder
    [ ] Test folder writable
    [ ] Basic Auth htpasswd file writable
    [ ] Digest Auth htpasswd file writable
    [ ] .htaccess test file writable
  • Signatur

    hi there,
    this plugin seems really good :)
    However, when i installed it and tested it i got
    the message that my server doesnt support authentication digest.

    is there anything i can do to change this?
    best , sarah
    Norway

  • Ron

    Hi, thanks for a great looking plugin.

    I'm having problems however and I'm receiving this in the testing phase:

    'Bummer... you don't have digest capabilities.'

    and this is stopping the plugin from working.

    What would cause this, and is it something I can do, or do I have to get onto my web host?

    Thanks for any help with this.

  • AskApache
  • Robert Nelson

    Installed plug-in, ran tests, activated first two items on your plug-ins set up page, now I can't access Wp-admin. Tried going to my cpanel and deleting everything in your plug-in. No help. I still can't access my wp-admin. How to solve?

  • gon

    hi! this pluging seems to be great but

    im having a ERROR: Failed to create /web/user/.htpasswda3

    my .htaccess is writable but i have a red box in
    Digest Authentication Attempt and
    2nd Digest Authentication Attempt

    it may be the reason of my first error.

    can i ask how to solve this?

  • SleeplessinDC

    I got the same error about the .htpasswda3. I looked at my files and it had been created but it had zero contents. I went back to the section below that error message and decided to click on the first module for Password Protect wp-login.php

    That made the error message go away. In its place was a yellow box with the code that had been written to the .htaccess file.

  • SleeplessinDC

    The plugin is a great idea and I'd like to get it to work. Even though I solved the mystery of the .htpasswda3 file, I am having problems with the plugin. Is it possible to run this plugin when WordPress is in a subdirectory of a regular HTML site that doesn't require a logon to use?

    In the tests, I put the absolute URL for where the blog is. The wording for this field is confusing. It says one or two URIs in the same space that require the same authname, username, and password. My site is not set up that way. A separate username and password is used for the blog. It is not the same as the FTP logon for the main site because I only want authors and contributors to the blog to have access to the blog and not the whole site.

    Although I set the field pointing to the blog in the subdirectory, the .htpasswda3 file was created outside the blog directory. Assuming that most people will be working with a standalone WordPress installation, the .htpasswda3 file would normally be created in the root of the WordPress files. So I moved the file that was made outside the WordPress directory and put it into the WP root. Then I ran the test again and specified that link for the .htpasswda3 file in the WordPress directory.

    I activated Password Protect wp-login.php and wp-admin. Then I tried to go to my blog and I keep getting an Authentication Required window that says: A username and password are being requested by http://www.domain.name. The site says: "Protected By AskApache" I've tried entering the FTP logon info but that isn't accepted and I even tried the blog logon info even though the blog is not at that level. But nothing is accepted.

    In addition, all the CSS styling for both the main site and the WordPress site is not being used. How would this plugin affect that?

    I am hoping that this plugin will allow me to protect the WordPress directory, wp-login, and wp-admin from unwanted users and allow multiple registered authors, editors, and contributors to log on with a password. I'm going to remove the plugin until someone can tell me how to make it work with WordPress in a subdirectory. I am using WordPress 2.8.5.

  • SleeplessinDC

    It would be nice if you allowed the dates to show in these comments so we don't waste our time looking at out of date problems and to be able to know what order they are in.

    I'm not sure if this comment is even going to get posted because I wrote an answer to gon and it hasn't appeared. Then I wrote a separate comment about problems I'm having and what steps I took. It was long and detailed. As soon as I clicked on the "Add Your Opinion" button, I got a page saying Firefox couldn't find this page or the comment. The Back button didn't get me back to the comments--everything is gone.

    Without dates below, I have no way of knowing whether these are from 2005 or more recent. Is the developer still looking at the comments and working on solutions?

  • Eddie

    I've moved my .htaccess file from the wordpress directory to the directory below it (so that I can access my wp install through www.domain.com instead of www.domain.com/wordpress). Ask Apache doesn't work for me in this case, it's getting a lot of the directory setting wrong in the test (as seen from the verbose output). Any tips?

    Eddie

  • RWW

    July 12, 2010

    I'm trying to set up AskApache, but the radio buttons for Authentication Scheme and Encryption Preferences are greyed out. If I save the settings anyway, the .htpasswda3 file gets created, but there is no password information in it.

    How do I resolve this?

  • Vic

    I just install it on some of my new blogs. I know that this security plugin, together with having a solid password and regular backups, will help my blogs to be secured. I will be back here, if I will encounter issues. Thanks for sharing this plugin.

  • Vic

    Got it installed on my site. But a minute later, I cannot access my site anymore. But it can be solved by restoring your .htaccess files. I have removed the code it inserted.

  • Steve

    I'm close to using this module after making some apache/php changes, however, one small issue persists. The test script says the Digest Authentication Attempt and 2nd attempt failed, although mod_auth_digest is installed. This is in the apache error log:

    [Fri Oct 15 19:09:24 2010] [crit] [client 216.xxx.xxx.xx] configuration error: couldn't check user. No user file?: /wp-content/askapache/authdigestfile_test.gif, referer: http://www.askapache.com

    Any thoughts on how to resolve?

    • MIchael

      Hi, I'm, sure you are very busy. Was wondering estimated release date of 4.7?

      • AskApache

        @Michael ~

        Honestly I am incredibly busy. Really can't get any free time for this..

  • CSD

    I don't have an .htaccess file. This plugin has completely screwed my site. Thanks....


Related Articles


My Online Tools
Popular Articles


Hacking and Hackers

The use of "hacker" to mean "security breaker" is a confusion on the part of the mass media. We hackers refuse to recognize that meaning, and continue using the word to mean someone who loves to program, someone who enjoys playful cleverness, or the combination of the two. See my article, On Hacking.
-- Richard M. Stallman









[hide]

It's very simple - you read the protocol and write the code. -Bill Joy

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. NCSA HTTPd.
UNIX ® is a registered Trademark of The Open Group. POSIX ® is a registered Trademark of The IEEE.

+Askapache | askapache

Site Map | Contact Webmaster | License and Disclaimer | Terms of Service

↑ TOPMain