FREE THOUGHT · FREE SOFTWARE · FREE WORLD

Home  »  WordPress  »  WordPress Plugin for Apache .htaccess Security

by comment

Askapache Password Protect Security Features


Brand New Features for 4.x

  1. gzip's previous .htaccess file and sends it as an attachment to the logged in users email account along with password user setup.
  2. Provides a AA_PP_DEBUG constant that you can set to 1 for verbose debugging
  3. Now also works for sites running on SSL (PHP version >4.3.0)
  4. Rewrote the security module code in the form of snort, nessus, and mod_security rules and signatures
  5. Added a *real* check to see if mod_rewrite is installed
  6. Added Modules that remove directoryindexes
  7. Added Module to require SSL (only enabled for SSL blogs, so you don't shoot yourself in the foot)
  8. Added Module that only allows certain REQUEST_METHOD in the request
  9. Much more on the way..

Example WordPress Generated .htaccess

Password Protecting wp-admin

# BEGIN AskApache PassPro
# sid900
AuthName "Protected By AskApache"
AuthUserFile /askapache.com/.htpasswda1
AuthType Basic
Require valid-user
 
<FilesMatch ".(ico|pdf|flv|jpg|jpeg|png|gif|swf|css|js)$">
Allow from All
</FilesMatch>
 
<files async-upload.php>
Allow from All
</Files>
Satisfy Any
# sid900
# END AskApache PassPro

Blog root .htaccess

# BEGIN WordPress
<ifModule mod_rewrite.c>
RewriteEngine On
RewriteBase /blog/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /blog/index.php [L]
</ifModule>
 
# END WordPress
 
# BEGIN AskApache PassPro
 
<ifModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
 
# sid1000
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /blog/wp-content/.*$ [NC]
RewriteCond %{REQUEST_FILENAME} ^.+.php$
RewriteRule .* - [F,NS]
# sid1000
# sid1010
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /blog/wp-includes/.*$ [NC]
RewriteCond %{REQUEST_FILENAME} ^.+.php$
RewriteRule .* - [F,NS]
# sid1010
 
</ifModule>
 
# sid1005
<files wp-login.php>
AuthName "Protected By AskApache"
AuthUserFile /askapache.com/.htpasswda1
AuthType Basic
Require valid-user
</Files>
# sid1005
 
# END AskApache PassPro

Testing Server for Encryption and .htaccess

SID .htaccess Security Modules

If you have any ideas for some more, please let us know!

SID Protection Description Response Enable
900 wp-admin/*.*
Requires a valid user/pass to access any non-static (css, js, images) file in this directory 401
1000 wp-content/*.php
Denies any Direct request for files ending in .php with a 403 Forbidden 401
1005 wp-login.php
Requires a valid user/pass to access the login page 401
1010 wp-includes/*.php
Denies any Direct request for files ending in .php with a 403 Forbidden 403
1015 REQUEST_METHODS
Denies any request not using !GET|POST|OPTIONS|PUT|HEAD 403
1025 Directory Protection
Enable the DirectoryIndex Protection, preventing directory index listing Disable

Tags

January 1st, 2008

Comments Welcome

My Online Tools
WordPress Sites

My Picks

Related Articles
Newest Posts
Twitter

  • ZERO DAY - read before Trojan horse  t.co/pPMLGDJv8P 
  • Trojan Horse, a novel!  t.co/Hf8EtYaZVa 
  • The Hacker Playbook - very nice high level overview of attacks  t.co/lHwNVWi61u 
  • Clean Code - A Handbook of Agile Software Craftsmanship  t.co/hnJX0x1qIc 
  • Secrets of the JavaScript Ninja - By my absolute favorite JS hacker John Resig!  t.co/tZ42ljmcCl 
  • Hacking Exposed 7: Network Security Secrets & SolutionsMy all time favorite, basic but thorough and accurate.  t.co/jycW0RDVtZ 
  • Empty words will be no surrogate for cold resolve. Pain is nothing.  t.co/qXjpRxbjCw 
  • REVERSING: Secrets of Reverse Engineering  t.co/GaWo29lWWG 
  • NEUROMANCER  t.co/3OoknUcb5Z 
  • "The Shockwave Rider", by John Brunner (1975 hacker sci-fi)  t.co/ZW56HVUefW 
  • The Rootkit ARSENAL - Escape and Evasion in the Dark Corners of the System  t.co/1FzX6bHgsQ 
  • "We Are Anonymous - Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency" better be good!  t.co/GL0cFNiUOq 
  • THE IDEA FACTORY Bell Labs  t.co/FyVhgNwwT5 
  • The Datacenter as a Computer -- Urs Holzle  t.co/M5WIYs1OVg 

Friends and Recommends
Hacking and Hackers

The use of "hacker" to mean "security breaker" is a confusion on the part of the mass media. We hackers refuse to recognize that meaning, and continue using the word to mean someone who loves to program, someone who enjoys playful cleverness, or the combination of the two. See my article, On Hacking.
-- Richard M. Stallman






[hide]

It's very simple - you read the protocol and write the code. -Bill Joy

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. NCSA HTTPd.
UNIX ® is a registered Trademark of The Open Group. POSIX ® is a registered Trademark of The IEEE.

| Google+ | askapache

Site Map | Contact Webmaster | License and Disclaimer | Terms of Service

↑ TOPMain