Advanced Mod_Rewrites Example From Wordpress Plugins Part - 2

Hello, in our previous blog Advanced Mod_Rewrites Example From Wordpress Plugins, we shared 10 examples, now moving ahead in this blog, we will cover 10 more examples. So let us start

#11 - HTTP PROTOCOL

Denies any badly formed HTTP PROTOCOL in the request, 0.9, 1.0, and 1.1 only.

RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ .+\ HTTP/(0\.9|1\.0|1\.1) [NC]
RewriteRule .? - [F,NS,L]

#12 - SPECIFY CHARACTERS

Denies any request for a URL containing characters other than "a-zA-Z0-9.+/-?=&" - REALLY helps but may break your site depending on your links.

RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [a-zA-Z0-9\.\+_/\-\?\=\&]+\ HTTP/ [NC]
RewriteRule .? - [F,NS,L]

#13 - BAD Content-Length

Denies any POST request that doesn't have a Content-Length Header

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Length} ^$
RewriteCond %{REQUEST_URI} !^/(wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .? - [F,NS,L]

#14 - BAD Content-Type

Denies any POST request with a content type other than application/x-www-form-urlencoded|multipart/form-data

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Type} !^(application/x-www-form-urlencoded|multipart/form-data.*(boundary.*)?)$ [NC]
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .? - [F,NS,L]

#15 - Missing HTTP_HOST

Denies requests that don't contain a HTTP HOST Header.[403]

RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{HTTP_HOST} ^$
RewriteRule .? - [F,NS,L]

#16 - Bogus Graphics Exploit

Denies obvious exploit using bogus graphics.

RewriteCond %{HTTP:Content-Disposition} \.php [NC]
RewriteCond %{HTTP:Content-Type} image/.+ [NC]
RewriteRule .? - [F,NS,L]

#17 - No UserAgent, Not POST

Denies POST requests by blank user-agents. May prevent a small number of visitors from POSTING.

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .? - [F,NS,L]

#18 - No Referer, No Comment

Denies any comment attempt with a blank HTTP_REFERER field, highly indicative of spam. May prevent some visitors from POSTING. 

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC]
RewriteCond %{HTTP_REFERER} ^-?$
RewriteRule .? - [F,NS,L]

#19 - Trackback Spam

Denies obvious trackback spam. 

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_USER_AGENT} ^.*(opera|mozilla|firefox|msie|safari).*$ [NC]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.+/trackback/?\ HTTP/ [NC]
RewriteRule .? - [F,NS,L]

#20 - Map all URIs except those corresponding to existing files to a handler

RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-d
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-f
RewriteRule . /script.php

Well, that's it for now. we will cover more examples of .htaccess mod_rewrite in our next blog. So stay tuned, stay informed!