Forum Topic: Protecting Plugins

Forum: .htaccess Forum : WordPress • Posted by Leon Fernandez • Updated:

I noticed that the Akismet plugin protects access to its folder and only allows access to js, css, gif and png files with an htaccess file of its own invoking mod_authz_core module.

Would it be of good practice to apply the same rules for every individual plugin installed in the /plugins/ directory?

2 Replies to “Protecting Plugins”

Posted by Jeff Starr

I wouldn’t try to generalize, it really depends on access, plugin functionality, scope, intended users, environment, and so forth. Plugins utilize a lot of WP functionality to accomplish a wide range of tasks. Umbrella policy just not advisable, rather take it on a case-by-case basis, proceed with caution, and test earnestly.

Posted by Leon Fernandez •

Hi, sorry to get back on this after several weeks, had to take care of some personal issues.

Ok, got ya on that.

Related to overall site protection, I suppose it is ok to apply the following?

Question Note: this is what I have collected up to the moment, dont know if Im missing something important before I go live?? (not the same testing as live)..

# Block Site Specific Files
<files .htaccess>
	Order allow,deny
	Deny from all
</files>
<files readme.html>
	Order allow,deny
	Deny from all
</files>
<files readme.txt>
	Order allow,deny
	Deny from all
</files>
<files install.php>
	Order allow,deny
	Deny from all
</files>
<files wp-config.php>
	Order allow,deny
	Deny from all
</files>
<files wp-config-sample.php>
	Order allow,deny
	Deny from all
</files>

# Disable XML-RPC (Safer to avoid Denial of Service Attacks)
<files xmlrpc.php>
	Order allow,deny
	Deny from all
</files>

# Disable Directory Browsing
Options -Indexes

# Start Server Rewrite Protect Files
<IfModule mod_rewrite.c>
	RewriteEngine On
	# Protect wp-includes
		RewriteRule ^wp-admin/includes/ - [F]
		RewriteRule !^wp-includes/ - [S=3]
		RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php
		RewriteRule ^wp-includes/[^/]+\.php$ - [F]
		RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
		RewriteRule ^wp-includes/theme-compat/ - [F]
	# Disable PHP in Uploads
		RewriteRule ^(.*)/uploads/(.*).php(.?) - [F]
	# Block HTTP methods
		RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
		RewriteRule ^(.*)$ - [F]
	# Block Suspicious URIs
		RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
		RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
		RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
		RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
		RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
		RewriteCond %{QUERY_STRING} http\:  [NC,OR]
		RewriteCond %{QUERY_STRING} https\:  [NC,OR]
		RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
		RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
		RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
		RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
		RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR]
		RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
		RewriteCond %{QUERY_STRING} ^.*(request|concat|insert|union|declare).* [NC]
		RewriteCond %{QUERY_STRING} !^loggedout=true
		RewriteCond %{QUERY_STRING} !^action=jetpack-sso
		RewriteCond %{QUERY_STRING} !^action=rp
		RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
		RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com(.*)$
		RewriteRule ^(.*)$ - [F]
	# Block Foreign Characters
		RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F).* [NC]
		RewriteRule ^(.*)$ - [F]
	# Reduce Spam
		RewriteCond %{REQUEST_METHOD} POST
		RewriteCond %{REQUEST_URI} ^(.*)wp-comments-post\.php*
		RewriteCond %{HTTP_REFERER} !.*mydomain.tld.* [NC,OR]
		RewriteCond %{HTTP_USER_AGENT} ^$
		RewriteRule ^(.*)$ - [F]
</IfModule>