WordPress - .htaccess - block injection attacks


/ Published in: Apache
Save to your folder(s)

The problem
Protecting dynamic websites is especially important. Most developers always protect their GET and POST requests, but sometimes this is not enough. We should also protect our blog against script injections and any attempt to modify the PHP GLOBALS and _REQUEST variables.

The solution
The following code blocks script injections and any attempts to modify the PHP GLOBALS and _REQUEST variables. Paste it in your .htaccess file (located in the root of your WordPress installation). Make sure to always back up the .htaccess file before modifying it.

Code explanation
Using the power of the .htaccess file, we can check requests. What we’ve done here is check whether the request contains a and whether it has tried to modify the value of the PHP GLOBALS or _REQUEST variables. If any of these conditions are met, the request is blocked and a 403 error is returned to the client’s browser.

Sources

* Protéger Son Site Avec Un Fichier .htaccess
* Protect Your WordPress Blog Using .htaccess


Copy this code and paste it in your HTML
  1. Options +FollowSymLinks
  2. RewriteEngine On
  3. RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
  4. RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
  5. RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
  6. RewriteRule ^(.*)$ index.php [F,L]

Report this snippet


Comments

RSS Icon Subscribe to comments

You need to login to post a comment.