Here are some specific .htaccess examples taken mostly from WordPress Password Protection plugin, which does a lot more than password protection as you will see from the following mod_rewrite examples. These are a few of the mod_rewrite uses that BlogSecurity declared pushed the boundaries of Mod_Rewrite! Some of these snippets are quite exotic and unlike anything, you may have seen before, also only for those who understand them as they can kill a website pretty quick.
#1 - Directory Protection
Enable the DirectoryIndex Protection, preventing directory index listings and defaulting.
Options -Indexes DirectoryIndex index.html index.php /index.php
#2 - Password Protect wp-login.php
Requires a valid user/pass to access the login page
<Files wp-login.php> Order Deny,Allow Deny from All Satisfy Any AuthName "Protected By YourDomain" AuthUserFile /web/YourDomain.com/.htpasswda1 AuthType Basic Require valid-user </Files>
#3 - Password Protect wp-admin
Requires a valid user/pass to access any non-static (CSS, js, images) file in this directory.
Options -ExecCGI -Indexes +FollowSymLinks -Includes DirectoryIndex index.php /index.php Order Deny,Allow Deny from All Satisfy Any AuthName "Protected By YourDomain" AuthUserFile /web/YourDomain.com/.htpasswda1 AuthType Basic Require valid-user <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|mp3|mpg|mp4|mov|wav|wmv|png|gif|swf|css|js)$"> Allow from All </FilesMatch> <FilesMatch "(async-upload)\.php$"> <IfModule mod_security.c> SecFilterEngine Off </IfModule> Allow from All </FilesMatch>
#4 - Protect wp-content
Denies any Direct request for files ending in .php with a 403 Forbidden. May break plugins/themes
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-content/.*$ [NC]
RewriteCond %{REQUEST_FILENAME} !^.+flexible-upload-wp25js.php$
RewriteCond %{REQUEST_FILENAME} ^.+\.(php|html|htm|txt)$
RewriteRule .? - [F,NS,L]
#5 - Protect wp-includes
Denies any Direct request for files ending in .php with a 403 Forbidden. May break plugins/themes
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-includes/.*$ [NC]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ /wp-includes/js/.+/.+\ HTTP/ [NC]
RewriteCond %{REQUEST_FILENAME} ^.+\.php$
RewriteRule .? - [F,NS,L]
#6 - Common Exploits
Block common exploit requests with 403 Forbidden. These can help a lot, may break some plugins.
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ ///.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\=?(http|ftp|ssl|https):/.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\?.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(asp|ini|dll).*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(htpasswd|htaccess|dehtpasswd).*\ HTTP/ [NC]
RewriteRule .? - [F,NS,L]
#7 - Stop Hotlinking
Denies any request for static files (images, CSS, etc) if the referrer is not local site or empty.
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{HTTP_REFERER} !^https://www.YourDomain.com.*$ [NC]
RewriteRule \.(ico|pdf|flv|jpg|jpeg|mp3|mpg|mp4|mov|wav|wmv|png|gif|swf|css|js)$ - [F,NS,L]
#8 - Safe Request Methods
Denies any request not using
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|PROPFIND|OPTIONS|PUT)$ [NC]
RewriteRule .? - [F,NS,L]
#9 - Forbid Proxies
Denies any POST Request using a Proxy Server. Can still access the site, but not comment.
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .? - [F,NS,L]
#10 - Real wp-comments-post.php
Denies any POST attempt made to a non-existing wp-comments-post.php
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC]
RewriteRule .? - [F,NS,L]
And now we will cover further in the next part. Keep in touch. Please do share any of your best Feedback, suggestions or view in the comment section below.