Forum Topic: Protect the wp-content directory

Forum: .htaccess Forum : WordPress • Posted by Ralf Koller • Updated:

i’ve picked up the following idea in the post over here

http://thematosoup.com/wordpress-security-htaccess/

but i am uncertain to which extend that measure makes sense at all.

The author suggested to create a separate .htaccess file inside the wp-content folder. The suggested snippet looks like that:

order deny,allow
deny from all
<files ~ ".(xml|css|jpe?g|png|gif|js)">
allow from all
</files>

The first line got cut. i guess it’s simply <files> that it applies to all files recursively. But does it make sense to add that extra portion of protection at all? Best regards Ralf

14 Replies to “Protect the wp-content directory”

Posted by Jeff Starr

Normally XML, CSS, JPGs, and other files are allowed access throughout the site. The snippet you’ve posted seems explicitly to allow access, which implies that there is some other rules or method that is preventing access.

So to answer your question, that code is useless unless there is some other technique that, say, denies access to all files in the admin area. In that case, then whitelisting the image files makes sense.

For example, I’ve used similar code when using a maintenance redirect, to ensure that images and other key files are still visible while working on the site.

Posted by Ralf Koller •

that confirms the doubts i had. so no need to build it in. thanks a lot!

Posted by Danny Parr •

Hi Jeff,

This is exactly what I was looking for… I would like to prevent unauthenticated access to the wp-content/uploads directory for all other than those files essential to the website display (XML, CSS, JPGs etc where I can add as required).

Could you possibly cast your eye over this and critique, I am no expert on .htaccess (hence purchasing your book today :) ) and I’m sure my effort could be simplified somewhat.

If you can advise what in addition to the code below would be required in the .htaccess file to create the above described access i would be most grateful. I have the authentication bit in hand and working with the below OK.

I use this to stop me having to delete all the default files WordPress created every time you upgrade and protect the admin login.

I place this in the folder above the /public_html/ directory…

ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/sites/mydomain.com/.htpasswd
require valid-user
</FilesMatch>

Options All -Indexes
<files .htaccess>
Order allow,deny
allow from 10.10.10.11,Deny from all
</files>
<files readme.html>
Order allow,deny
Deny from all
</files>
<files license.txt>
Order allow,deny
Deny from all
</files>
<files install.php>
Order allow,deny
Deny from all
</files>
<files wp-config.php>
Order allow,deny
Deny from all
</files>
<files error_log>
Order allow,deny
Deny from all
</files>
<files fantastico_fileslist.txt>
Order allow,deny
Deny from all
</files>
<files fantversion.php>
Order allow,deny
Deny from all
</files>
<files wp-config-sample.php>
Order allow,deny
Deny from all
</files>
Posted by Jeff Starr

Hi Danny,

The code looks fine for the most part, but some notes to consider:

1) Protecting wp-login.php is good, but keep in mind it is just one file out of many that are involved with the Admin Area.

2) The .htaccess file should be protected by server configuration, so there may be no need for the explicit/extra protection.

3) An easier way of writing this would be something like:

RedirectMatch 403 /(error_log|fantastico_fileslist|fantversion|install|license|readme|wp-config|wp-config-sample)\.

If you try that technique, please test thoroughly!

Posted by Danny Parr •

Hi Jeff,

Thats great I’ll give that a try for sure, thank you for such a quick response.

Any thoughts on the part about preventing unauthenticated access to the wp-content/uploads directory for all other than those files essential to the website display (XML, CSS, JPGs etc where I can add as required)?

Please excuse my waffle, I’ll try and explain best I can below :)

I would like to stop people accessing certain file types in the ‘/public_html/wp-content/uploads’ directory a WordPress site however still allow the files to be written there.

Simply put I would like to restrict access to public reading a selection of file extensions (.doc, .rtf, .pdf, .xls, etc) without authentication. Or restrict access to the ‘/public_html/wp-content/uploads’ to just allow images and writing to it for other files, no reading other than those extensions or files I specify.

For example :-

I have a plugin form where you can submit an attachment, let’s say that is a Word Document file (but could be an .rtf, .pdf etc).

I would like the public to be able to complete the form and submit the Word Document to the ‘wp-uploads’ directory.

Once the file is there I want to block anyone accessing any .doc or .rtf or .pdf files unless they are authenticated by .htaccess password.

Thank you for your time and consideration.

Posted by Jeff Starr

Hey Danny,

Are any of my emails getting through? I’ve sent several emails from different accounts to different accounts, but haven’t heard back from any of them. If you can take the time to reply or let me know if you are not receiving them that would be great. Basically, USPS requires a phone number to ship internationally, so if you could send one (don’t post it in the forum) via email at https://perishablepress.com/contact/ that would be awesome. Once I can get the book shipped, I will be glad to respond to the previous posted question.

Thank you, and apologies for any inconvenience.

Posted by Danny Parr •

Hey Jeff,

No problem…,

Not seen any emails from you, sorry man, I’ll drop you an email now via https://perishablepress.com/contact/ and if you don not receive it in an hour please post back here and I’ll try another address.

Thank you

Any thoughts on my question, or was that in the email too :)

Posted by Jeff Starr

Thanks for the email, book ships today :)

Re: protecting the uploads directory with password protection – the following may work, added to the .htaccess file of the /uploads/ directory:

# password protect mulitple file types
<IfModule mod_auth.c>
 <FilesMatch "\.(inc|txt|log|dat|zip|rar)$">
  AuthName "Username and password required"
  AuthUserFile /home/path/.htpasswd
  Require valid-user
  AuthType Basic
 </FilesMatch>
</IfModule>

That will prevent access to any of the specified file types in the /uploads/ directory. Taken from my tutorial here:

https://perishablepress.com/htaccess-password-protection-tricks/

Posted by Danny Parr •

Thanks Jeff thats awesome as is your reply here… so if I wanted to flip that reverse and deny access to any files other than those specified (jpe?g|gif|css|png|xml|js|php|html) while still allowing the submission form to write to the folder would the following be correct? :-

# password protect everything except specified files and all write
<IfModule mod_auth.c>
 AuthName "Username and password required"
 AuthUserFile /home/path/.htpasswd
 Require valid-user
 AuthType Basic
 <FilesMatch "\.(jpe?g|gif|css|png|xml|js|php|html)$">
  Order Deny,Allow
  Deny from all
  Allow from localhost
  Satisfy any
 </FilesMatch>
</IfModule>

All the best.

Danny.

Posted by Danny Parr •

Ummm, neither appear to work Jeff… any thoughts sir? :)

Posted by Jeff Starr

Do you know if .htaccess is enabled in the directory? You can test by adding a file named text.txt and then the following rule to .htaccess:

RedirectMatch 403 text.txt

If that kicks in and you get an 403, then .htaccess is working. The next step would be to test the password-protection, and then lastly test that files can be allowed/denied by first checking one file.

Basically it’s a matter of troubleshooting, as with most things online :)

Posted by Danny Parr •

Cool, I’ll test this now, thank you :)

Posted by Danny Parr •

OK I found this works if I remove <IfModule mod_auth.c> however it is the inverse of what I really want as it means I have to guess every extension of file that may be uploaded.

What I’m really looking for is Password protection for everything except specific files

The inverse of this which does work :-

# password protect multiple file types
 <FilesMatch "\.(inc|txt|log|dat|zip|rar|doc|docx|pdf|rtf|xls|xlsx)$">
  AuthName "Username and password required"
  AuthUserFile /home/sites/mydomain.com/.htpass
  Require valid-user
  AuthType Basic
 </FilesMatch>

I just cannot get the inverse working it blocks everything…

Any ideas Jeff ;)

Password protection for everything except specific files which would be
jpe?g|gif|css|png|xml|js|php|html

Any help much appreciated.

Thank you.

Posted by Danny Parr •

Hi Jeff,

Any thoughts on the above post please? :)

Appreciate any advice you can help with.

Thank you.

Danny.