Advanced .htaccess Tips

.htaccess is the default file name of an optional configuration file that provides numerous commands for controlling and configuring the Apache Web Server, and also to control and configure modules such as mod_rewrite (for htaccess rewrite), mod_alias (for htaccess redirects), and mod_ssl (for controlling SSL connections).

This file is usually present in the root directory and enables theWordPress „friendly-url“ permalink structure for example.
You can create a .htaccess file in any folder to to add restrictions specific to the folder (and all sub-folders).

Before making any changes – make sure to backup the current .htaccess file!

## Disable the Server Signature ##
ServerSignature Off

## Disable directory browsing – Can cause 500 Internal Server Error ##
Options All -Indexes

Protecting specific folders: – create a htaccess in the folder required

## Disable php in a folder all subfolders – use where „777“ permission required ##

php_flag engine off

</IfModule>

or else:

## Secure /uploads/ directory from unwanted file types ##

Deny from All

</FilesMatch>

## Allow access only from specific IP-Address(es) ##

order deny,allow

deny from all

allow from x.x.x.x

If you are using this to protect /wp-admin/ directory then add the following to allow user logins (for comments etc.)

Order allow,deny

Allow from all

Satisfy any

</FilesMatch>

Block Referrer Spam (you’ll see these clogging your analytics traffic):

## Block referrer spam such as Semalt ##

RewriteCond %{HTTP_REFERER} ^http://.*youtubedownload.org/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*softomix.ru/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*zazagames.org/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*youtubedownload.org/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*vapmedia.org/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*soundfrost.org/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*joingames.org/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*videofrost.net/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*softomix.net/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*feedouble.net/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*backgroundpictures.net/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*joinandplay.me/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*videofrost.com/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*srecorder.com/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*softomix.com/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*openmediasoft.com/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*openfrost.com/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*myprintscreen.com/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*musicprojectfoundation.com/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*feedouble.com/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*fbfreegifts.com/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*extener.com/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*embedle.com/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*savetubevideo.com/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*kambasoft.com/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*buttons-for-website.com/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*7makemoneyonline.com/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*darodar.com/ [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://.*semalt.com/ [NC]

RewriteRule ^(.*)$ – [F,L]

Stop Spammers automatically posting Spam comments on your Blog:

## Block WordPress Spam – no direct access to Comments – Change yourdomain.com below ##

RewriteEngine On

RewriteCond %{REQUEST_METHOD} POST

RewriteCond %{REQUEST_URI} .wp-comments-post.php*

RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]

RewriteCond %{HTTP_USER_AGENT} ^$

RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

Trap almost all bots trying to hack your site.

First, set a cookie for anybody requesting resources.

# If they are requesting resources, then they’re probably not bots.

RewriteCond %{REQUEST_FILENAME} (mytheme.css|.jpg)$ [NC]

RewriteRule .* – [L,co=human:abides:%{HTTP:Host}:86400]

Second, check incoming POST’s to see if they have that cookie set, if not, you can assume that they are most likely bots.

# Check if this is a post method, if so, the human cookie must be set.

# If the bots don’t abide, they get a 403 for their POST.

RewriteCond %{REQUEST_METHOD} =POST

RewriteCond %{HTTP_COOKIE} !^.*human.*$ [NC]

RewriteRule .* – [F]

# Block most proxies. Most hackers / spammers use proxies

# You might want to only use this on restricted resources (logins, comments) – as this will also block

RewriteCond %{HTTP:HTTP_VIA} !^$ [OR]

RewriteCond %{HTTP:HTTP_X_FORWARDED_FOR} !^$ [OR]

RewriteCond %{HTTP:HTTP_FORWARDED_FOR} !^$ [OR]

RewriteCond %{HTTP:HTTP_X_FORWARDED} !^$ [OR]

RewriteCond %{HTTP:HTTP_FORWARDED} !^$ [OR]

RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$ [OR]

RewriteCond %{HTTP:HTTP_FORWARDED_FOR_IP} !^$ [OR]

RewriteCond %{HTTP:VIA} !^$ [OR]

RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]

RewriteCond %{HTTP:FORWARDED_FOR} !^$ [OR]

RewriteCond %{HTTP:X_FORWARDED} !^$ [OR]

RewriteCond %{HTTP:FORWARDED} !^$ [OR]

RewriteCond %{HTTP:CLIENT_IP} !^$ [OR]

RewriteCond %{HTTP:FORWARDED_FOR_IP} !^$ [OR]

RewriteCond %{HTTP:HTTP_PROXY_CONNECTION} !^$

RewriteRule ^(.*)$ – [F]

Block the most common hacker attacks used to compromise your site

## BLOCK COMMON QUERY STRING EXPLOITS ##

# Do not allow the use of User Agent Strings containing specific robot (crawler) identifiers

RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner|jce|ukrain).* [NC,OR]

# Do not allow the use of User Agent Strings containing references to specific crawler libraries

RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan|wbsearchbot).* [NC,OR]

RewriteCond %{THE_REQUEST} ? HTTP/ [NC,OR]

RewriteCond %{THE_REQUEST} /* HTTP/ [NC,OR]

RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]

RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]

RewriteCond %{THE_REQUEST} (%0A|%0D|r|n) [NC,OR]

RewriteCond %{REQUEST_URI} owssvr.dll [NC,OR]

RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

RewriteCond %{HTTP_REFERER} .opendirviewer. [NC,OR]

RewriteCond %{HTTP_REFERER} users.skynet.be.* [NC,OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(..//?)+ [OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]

RewriteCond %{QUERY_STRING} =PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]

RewriteCond %{QUERY_STRING} (../|..) [OR]

RewriteCond %{QUERY_STRING} ftp: [NC,OR]

# The following 2 commands can cause problems with some thumbnail generators

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(ht|f)tp:// [OR]

RewriteCond %{QUERY_STRING} http: [NC,OR]

RewriteCond %{QUERY_STRING} https: [NC,OR]

RewriteCond %{QUERY_STRING} =|w| [NC,OR]

RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]

RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]

RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (<|%3C).*embed.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (<|%3C).*object.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (<|%3C).*iframe.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} base64_encode.*(.*) [NC,OR]

RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*([^)]*) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} ^.*((|)|<|>|%3c|%3e).* [NC,OR]

RewriteCond %{QUERY_STRING} ^.*(x00|x04|x08|x0d|x1b|x20|x3c|x3e|x7f).* [NC,OR]

RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]

RewriteCond %{QUERY_STRING} (./|../|…/)+(motd|etc|bin) [NC,OR]

RewriteCond %{QUERY_STRING} (localhost|loopback|127.0.0.1|mosconfig|scanner) [NC,OR]

# Block SQL Statements in Querystring

RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00|%2527) [NC,OR]

RewriteCond %{QUERY_STRING} concat[^(]*( [NC,OR]

RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]

RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]

RewriteCond %{QUERY_STRING} (sp_executesql) [NC]

RewriteRule ^(.*)$ – [F,L]

Having secured your server you still need to be vigilant and follow basic security procedures:

Apply all UPDATES !!

Use STRONG passwords and don’t reuse them!

Regularly create Backups

If you are not sure if your server has been hacked – use a free malware scanner to check:

https://www.websicherheit.at/web-security-check/

https://www.virustotal.com/

PS: If you are using nginx Server and not Apache, use this Site to convert htaccess commands into nginx compatible commands – http://winginx.com/en/htaccess

http://www.askapache.com/htaccess/htaccess.html

Trap almost all bots trying to hack your site.

WordPress Security

Kontakt

Web Security Angebot

Sicherheits News