The .htaccess file have lots of possibilities. Today, let’s see how we can protect our WordPress blog from scripts injection, and unwanted modification of _REQUEST and/or GLOBALS.
Simply paste the following lines into your .htaccess file. This file is located at the root of your WordPress install.
Remember to always make a backup of your .htaccess file before editing it so, you'll be able to restore it if something went wrong.
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Thanks to Oussama for those simple, but efficient lines of code!
If you enjoyed this article, please consider sharing it!
Leave a Comment
- Voosh Themessave 20% on your purchase […]
- Magic MembersSave $15 on your purchase […]
- Page.lySave 20% on hosting […]
- WordPress Rating pluginSave $15 on your purchase […]
- WpZoom – Yamidoo Themesave 30% on your purchase […]
- Neatothemesget 20% off every theme […]
- WordPress Defendersave $4 on your purchase […]
- Templaticsave 20% on your purchase […]
- Squeeze Themeget 25% off your order […]
- Canvas ThemeGet 25% off the Canvas theme […]
Copyright © 2008 - 2010 WordPress Development by Jean-Baptiste Jung. Graphic art by GreenBubbles.org.ua, all right reserved.
24 Responses
Thx for linking
Hi
Would be great if this tip could be accompanied by some more explanation, since i don’t feel very comfortable just adding this to my .htaccess file without knowing what it does.
Gabrie
Glad that you’re sharing the trick but I just wish you briefly describe what it does. As of now it looks greek to me. Going to Oussama’s site is no help, the language is also greek to me
@Hilmy: I came here for the same question (or to verify that my assumption on what the code does was right). I now noticed that info below the headline wasn’t visible in the RSS feed, which more and less explains it:
This .htaccess rule protects the blog from “scripts injection”, and unwanted modification of _REQUEST and/or GLOBALS.
I’ve seen attempts like this on my blog, blocked by WordPress Firewall -plugin, but .htaccess is always better.
Here is the translation of the original article from French to English ala Google
The majority of developers still think to protect their POST and GET requests (obviously) but in my opinion this is not always enough: we must also remember to protect themselves against the injection script, changing _REQUEST, changing PHP GLOBALS variable .. And to do this we simply add (create?) A few lines in his file. Htaccess
Warning: Incorrect use of. Htaccess files can cause the blockage of its website. Use sparingly! (The example I give is tested and is functional).
If after the implementation of the file. Htaccess you have problems accessing the site, simply delete this file or delete the lines you’ve added.
As we all know (not you?) File. Htacces must always start with these two lines:
Options + FollowSymLinks # To enable tracing of symbolic links
RewriteEngine On # To start the engine of url_rewriting
We begin by putting the conditional redirection (url_rewriting):
# It blocks all the links containing :
RewriteCond% (QUERY_STRING) (\ |% 3E) [NC, OR]
# It blocks all scripts that try to modify a PHP GLOBALS variable:
RewriteCond% (QUERY_STRING) GLOBALS (= | \ [| \% [0-9A-Z] (0,2)) [OR]
# It blocks all scripts that try to modify a _REQUEST variable:
RewriteCond% (QUERY_STRING) _REQUEST (= | \ [| \% [0-9A-Z] (0,2))
# Everything is good! We sent it all to the homepage with 403 Forbidden error:
RewriteRule ^(.*)$ index.php [F, L]
So to summarize: To better protect your website, you can add these lines in his file. Htacces (or create one. Htaccess file containing these lines):
I use the Su.pr short URL service on my domain and my .htacess file includes the line:
RewriteRule ^[a-zA-Z0-9]{4}$ supr.php?supr=$0
Would these scripts conflict?
nice snippet there Jean-Baptiste, will definitely be useful in the future!
Looks nice, but… What it does?
yea, explanation?
thanks!!!
Author fail!
Anyone who adds ANY code to any part of their site without the author explaining what it does is ignorant.
@Rick : Stop reading my blog then. It’s pretty simple.
great tip and follow-up info. I’ve been lucky so far but you never know when a hacker is going to find your site.
Sounds good, but how do you use it along with a custom permalink structure : /%category%/%postname%.php
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
Not too happy adding these lines without any commenting on it. Would be nice to have more detailed explanation about what each line does.
Nice tip Jean-Baptiste.
@Jeevan – Check out comment number 5 on this post.
Or you could learn French and check out the source.
sorry … but this code broke my rss feed … so I removed this
I think this is a useful hack, but I need to know what it means to each line. How about an explanation?
Okay, here is the explanation:
The first line checks if the URL contains a script tag (e.g. …) – this is important to check for because some pages just print out parameters from the url directly into the code () and this would lead to the JavaScript code being executed.
The second and third line check if the URL contain the strings _REQUEST[...] or GLOBAL to prevent access to these global PHP variables.
If one of these conditions are met, the user is redirected to the websites frontpage.
Okay, my code examples have been cut out – that’s good, because that means that my text has been filtered for malicious code
.
Trackbacks: