Posted By

josephknight on 07/05/10


Tagged

php html htaccess security rewrite


Versions (?)

Who likes this?

5 people have marked this snippet as a favorite

artificialid
mikoli
laurentzziu
wirenaught
rickygri


WordPress - .htaccess - block injection attacks


 / Published in: Apache
 

The problem Protecting dynamic websites is especially important. Most developers always protect their GET and POST requests, but sometimes this is not enough. We should also protect our blog against script injections and any attempt to modify the PHP GLOBALS and _REQUEST variables.

The solution The following code blocks script injections and any attempts to modify the PHP GLOBALS and _REQUEST variables. Paste it in your .htaccess file (located in the root of your WordPress installation). Make sure to always back up the .htaccess file before modifying it.

Code explanation Using the power of the .htaccess file, we can check requests. What we’ve done here is check whether the request contains a and whether it has tried to modify the value of the PHP GLOBALS or _REQUEST variables. If any of these conditions are met, the request is blocked and a 403 error is returned to the client’s browser.

Sources

* Protéger Son Site Avec Un Fichier .htaccess
* Protect Your WordPress Blog Using .htaccess
  1. Options +FollowSymLinks
  2. RewriteEngine On
  3. RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
  4. RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
  5. RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
  6. RewriteRule ^(.*)$ index.php [F,L]

Report this snippet  

You need to login to post a comment.