Firewall in .htaccess

There are many ways to have a Firewall in WordPress… often through plugins that work with PHP and overload the server.

A simple way is to incorporate some firewall rules directly into the .htaccess that block requests by parameter, or some connection methods, or certain robots.

If so, these filters can help you improve your security.

# QUERY STRINGS
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{QUERY_STRING} (eval() [NC,OR]
  RewriteCond %{QUERY_STRING} (127.0.0.1) [NC,OR]
  RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR]
  RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
  RewriteCond %{QUERY_STRING} (base64_encode)(.*)(() [NC,OR]
  RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|[|%) [NC,OR]
  RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
  RewriteCond %{QUERY_STRING} (\|...|../|~|`|<|>||) [NC,OR]
  RewriteCond %{QUERY_STRING} (boot.ini|etc/passwd|self/environ) [NC,OR]
  RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?).php [NC,OR]
  RewriteCond %{QUERY_STRING} ('|")(.*)(drop|insert|md5|select|union) [NC]
  RewriteRule .* - [F]
</IfModule>

# REQUEST METHOD
<IfModule mod_rewrite.c>
  RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|trace|track) [NC]
  RewriteRule .* - [F]
</IfModule>

# REQUEST STRINGS
<IfModule mod_alias.c>
  RedirectMatch 403 (?i)([a-z0-9]{2000,})
  RedirectMatch 403 (?i)(https?|ftp|php):/
  RedirectMatch 403 (?i)(base64_encode)(.*)(()
  RedirectMatch 403 (?i)(=\'|=\%27|/\'/?).
  RedirectMatch 403 (?i)/($(&)?|*|"|.|,|&|&?)/?$
  RedirectMatch 403 (?i)({0}|(/(|...|+++|\"\")
  RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\|s|{|}|[|]||)
  RedirectMatch 403 (?i)/(=|$&|_mm|cgi-|etc/passwd|muieblack)
  RedirectMatch 403 (?i)(&pws=0|_vti_|(null)|{$itemURL}|echo(.*)kae|etc/passwd|eval(|self/environ)
  RedirectMatch 403 (?i).(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
  RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell).php
</IfModule>

# USER AGENTS
<IfModule mod_setenvif.c>
  SetEnvIfNoCase User-Agent ([a-z0-9]{2000,}) bad_bot
  SetEnvIfNoCase User-Agent (binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
  # Apache < 2.3
  <IfModule !mod_authz_core.c>
    Order Allow,Deny
    Allow from all
    Deny from env=bad_bot
  </IfModule>
  # Apache >= 2.3
  <IfModule mod_authz_core.c>
    <RequireAll>
      Require all Granted
      Require not env bad_bot
    </RequireAll>
  </IfModule>
</IfModule>

About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.