.htaccess /includes, Sucuri vs. ww.wp.xz.cn ?

  • boblebad

    (@boblebad)


    7 years ago

    Hello

    I recently discovered an error after upgrading to WP 5.2, Investigating it lead me to sites talking about a hack. And yes, i found some extra files in the /includes dir.

    Then on to protecting it. Sucuri does it one way and ww.wp.xz.cn tells another story. Which is the better and what’s the difference ?

    This is Sucuri: Hardening via the plugin
    ——

    
<FilesMatch "\.(?i:php)$">
  <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
  </IfModule>
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
</FilesMatch>

<Files wp-tinymce.php>
  <IfModule !mod_authz_core.c>
    Allow from all
  </IfModule>
  <IfModule mod_authz_core.c>
    Require all granted
  </IfModule>
</Files>

<Files ms-files.php>
  <IfModule !mod_authz_core.c>
    Allow from all
  </IfModule>
  <IfModule mod_authz_core.c>
    Require all granted
  </IfModule>
</Files>
------

    This is ww.wp.xz.cn: https://ww.wp.xz.cn/support/article/hardening-wordpress/
    ——

    
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
-------

    All the best
    Carsten, Denmark

Viewing 9 replies - 1 through 9 (of 9 total)
  • Moderator James Huff

    (@macmanx)

    7 years ago

    Those are two very different things.

    WordPress adds the .htaccess Rewrite rules necessary to make your permalinks work, Sucuri adds .htaccess Allow/Deny rules to further secure your site.

    Thread Starter boblebad

    (@boblebad)

    7 years ago

    But still, both say it’s to protect files in the /includes dir.

    This is from the WordPress site:
    “A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file.”

    This i from Sucuri:

    Block the execution of PHP files in sensitive directories. Be careful while applying this hardening option as there are many plugins and theme which rely on the ability to execute PHP files in the content directory to generate images or save temporary data. Use the “Whitelist PHP Files” tool to add exceptions to individual files.”

    So why are they doing so differently ?

    Moderator James Huff

    (@macmanx)

    7 years ago

    The WordPress documentation says you can _choose_ do that if you want to, WordPress does not do that on its own.

    The Sucuri documentation says that Sucuri _will_ do that if the option is selected.

    Thread Starter boblebad

    (@boblebad)

    7 years ago

    Thank you for your reply James.

    But that was really not an answer to my question.

    Why are the methods to achieving the same thing so different ?

    Moderator James Huff

    (@macmanx)

    7 years ago

    Sorry, I misread earlier, blame the pre-coffee. The rules from WordPress are indeed _not_ the rewrite rules for permalinks.

    But, either way though, they are still absolutely _not_ doing the same thing.

    The rules from Sucuri protect wp-tinymce.php and ms-files.php and any .php file. Why? You’ll need to ask them.

    The recommended rules for WordPress protect /wp-admin/includes/ and php files under /wp-includes/ and /wp-includes/js/tinymce/langs/ and /wp-includes/theme-compat/

    There’s no reason not to use both, they do two different things.

    Thread Starter boblebad

    (@boblebad)

    7 years ago

    Thank you again James πŸ™‚

    If you look closer(get more coffee πŸ˜‰ ) at the code from Sucuri, they actually specifically allow wp-tinymce.php and ms-files.php to run; Require all granted

    Why they do what they do, is to block users/hackers to run .php files from the /includes directory.

    That’s also what WordPress say they’re doing, but with; rewrite

    Is rewrite at better choice than mod_authz_core.c for solving this task ?

    Moderator James Huff

    (@macmanx)

    7 years ago

    Argh, yes, more coffee was required.

    Either way though, there’s no reason not to run them together, there will be no conflicts.

    Of the two, I like the way Sucuri is doing it compared to the recommended WordPress way.

    Personally though, if you’re getting into .htaccess blocks, you might as well go for https://perishablepress.com/6g/

    Which, you can also get in simple plugin form: https://ww.wp.xz.cn/plugins/block-bad-queries/

    Thread Starter boblebad

    (@boblebad)

    7 years ago

    Hello James

    I was just searching the Apache site. I thought that might be a place to go, just to try to understand the different approaches. Not that it helped that much πŸ˜‰

    But as you write, i also lean more to the Sucuri method. It’s a lot more simple: https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html

    It though would be interesting to hear why WordPress chose to use Rewrite.

    I’m not sure if it’s a good idea to put two rules in that do the same. It also puts an extra load on the server.

    Thank you for the links, i’ll have a look at them πŸ™‚

    Thread Starter boblebad

    (@boblebad)

    7 years ago

    Hmm, maybe the difference is this:
    “Further, 7G uses Apache’s mod_rewrite, so it works on all types of HTTP request methods: GET, POST, PUT, DELETE, and all others. That means robust protection for your website.”

    Maybe mod_authz_core do not do that.

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘.htaccess /includes, Sucuri vs. ww.wp.xz.cn ?’ is closed to new replies.