Why is this line of code Wrong in every WordPress .Htaccess security article?

is partly wrong in every WordPress .Htaccess hardening article I’ve seen.

Unfortunately it is very common for Apache config/regex code snippets to be blindly copy/pasted and errors do propagate. Unless there is some obscure vulnerability we are not aware of then I would bet that that is what has happened here. (Although matching “too much” is not necessarily a problem here.)

Although per-directory php.ini files (in the public HTML space) is not a common scenario these days, so this check is arguably bogus anyway. However, .user.ini files are, so this should probably be added (ie. \.user\.ini).

And error_log, php.ini and .htaccess / .htpasswd files are not specific to WordPress.

However, there are other potential “errors” with the code snippet:

  • The ^.* prefix on the regex is entirely superfluous and just makes the regex a little less efficient. However, the effect of this is that the remainder of the regex is essentially just a suffix. In other words, it will match <anything>error_log, <anything>wp-config.php, <anything>php<anychar>ini and <anything>.[hH][tT][aApP]<anything>. Which is probably unnecessary.

  • The directives Order and Deny are Apache 2.2 directives and formerly deprecated on Apache 2.4, which is more likely what you are using these days. These directives have been moved to an optional extension (mod_access_compat) which might not even be installed. On Apache 2.4 you should be using the equivalent Require directive instead:

    Require all denied

    But note that you should not mix old and new auth directives in the same config as you can get unexpected results due to the order in which these directives are processed.

Related Posts:

  1. Improve wordpress security by hiding non public resources
  2. Does this .htaccess security setting really work?
  3. File and directory permissions
  4. Using “wordpress_logged_in” to restrict direct access to uploads folder in 2021
  5. WordPress URL/Folder ReWrite using Htaccess
  6. Which WordPress scripts need to be executable for a fresh installation?
  7. Blocking access to wp-login via htaccess not working
  8. Attach to wp-login.php and xmlrpc.php
  9. Struggling with add_rewrite_rule
  10. XMLRPC filtering through htaccess not working
  11. Restricting user login by IP address
  12. WordPress: Adding Security
  13. How do I test to ensure that my wp-config file is protected?
  14. WordPress not seeing .htaccess rules
  15. Rules in .htaccess only if the requested URL is /wp-admin
  16. Disable directory browsing of uploads folder
  17. Strange behaviour of is_user_logged_in() and get_current_user_id()
  18. Selectively Disabling PHP via .htaccess in Root Directory
  19. Problem with WordPress permalinks
  20. Redirect files in uploads directory if WordPress user not logged in
  21. Should I prevent access to .htaccess and wp-config.php files?
  22. Blocking wp-login in HTACCESS has also blocked password protected pages
  23. Basic Auth .htaccess on wp-login, but allow logout from woocommerce
  24. Using htaccess to prevent spam through wp-comments-post.php
  25. Redirect Loop in Regex Moving to HTTPS
  26. How can I create a private site that is inaccessible from the outside?
  27. Restrict Content for only Contributors via .htaccess
  28. Allowing access to certain WordPress created pages or posts with htaccess / htpasswd
  29. Redirect loops in Bing holding my sites back
  30. Security headers disappear on WordPress pages
  31. WordPress site hacked. Has .htaccess been hacked?
  32. What does a security risk in a plugin look like?
  33. Securing wp-admin folder – Purpose? Importance?
  34. Static raw HTML page
  35. .htaccess file redirecting to parent directory
  36. Rewrite /?rest_route=/ link to /wp-json/ without changing default permalink structure in apache
  37. Globally force SSL on all pages
  38. Rewrite rule not working
  39. Correct htaccess to display page while also passing in GET parameters
  40. Temporary .htaccess blocking is disabling WP Crons from running?
  41. Block access to wp-admin
  42. .htaccess redirects disappeared after re-saving permalinks
  43. WordPress trims off the forward slash when import
  44. WordPress best solution shared theme for consumers and businesses (two url’s one instaltion)
  45. WordPress multilingual website domain and folders
  46. Corrupt .htaccess file
  47. Cache policy not updated according to PageSpeed
  48. Can’t Access Subdirectory
  49. What’s the opposite of required valid user in .htaccess authentication
  50. How can i redirect one url to another url using .htaccess or add_rewrite_rule
  51. When is it necessary to have Header unset Vary in .htaccess
  52. Redirect http to https does not work on subdir where another instance of WordPress installed
  53. redirect the homepage using .htaccess outside of WordPress
  54. Https Redirect infinite loop in Mobile browsers
  55. 403 error on admin login page
  56. Redirect an old link to new site homepage [closed]
  57. Headers Content-Security-Policy CSP Major Issue
  58. Point all URLs to homepage but maintain URL
  59. .htaccess rewriting old RSS feed URL to WordPress feed URL
  60. How can I set Cache TTL for woff and woff2 font files with htaccess?
  61. How can I fix the redirect chain after implementing ssl on wordpress?
  62. External content won’t load in iframe in Safari
  63. How to write .htaccess so that https is on for subpages only but not the home page
  64. How do I configure wordpress structure for development using git and composer
  65. How to create a redirect in the .htaccess file, with 2 exceptions
  66. My Homepage Suddenly Disappeared and I Can’t Get It Back
  67. How to turn this .htaccess rule into a dynamic rule with add_rewrite_rule, et al?
  68. WordPress .htaccess file gives issues with subdirectory
  69. W3 Total Cache CSS & JS files GZip issues [closed]
  70. WP Super Cache unable to locate cache file for only the homepage
  71. Cannot login to WordPress site after changing .htaccess for security purposes
  72. add_rewrite_rule to remove /category/ from permalink
  73. Local PC cache stays filled with old WordPress Site data
  74. How to have a custom URI path for specific page template
  75. WordPress JSON API restrict to specific domain
  76. Where to put W3 Total Cache rewrite rules in .htaccess? [closed]
  77. Redirect all subdomains to root domain
  78. Rewrite Rules not redirecting rewrite
  79. How do i allow access to a single file in my root directory? [closed]
  80. How to execute WordPress as though it is in the root folder while it is installed in a subdirectory?
  81. What’s the best way to manage a lot of 301 redirects in WordPress?
  82. Shared hosting, multiple sites, can’t log in to WP due to .htaccess redirection
  83. Htaccess maintenance page rules that actually work with WordPress?
  84. What causes 404 errors that forces you to rebuild a .htaccess file?
  85. How to allow only vpn access to dashboard on Bitnami WordPress by IP address restricting
  86. How to set up MS Exchange Autodiscover alongside WordPress
  87. Xampp is not loading media
  88. PHP application in sub directory keeps redirecting to main site
  89. execute cron jobs when .htaccess login protected?
  90. Redirect WordPress site to a landing (construction) page using htaccess, with access to /wp-admin and /invoice
  91. change URIs of migrated site
  92. htaccess- to hide subdirectory slug only from the post
  93. Steps for WordPress over SSL
  94. Fixing Access-Control-Allow-Origin (CORS origin) for multiple subdomains
  95. .htaccess file changes disappear
  96. insert_with_markers() WordPress & htaccess help
  97. 403 forbidden due to .htaccess?
  98. Cannot find webarh/malware redirect infection that only shows on Chrome
  99. .htaccess seems to be required but I can not find it
  100. The connection to “domain” is not secure
techhipbettruvabetnorabahisbahis forumutaraftarium24eduseduseduseduseduseduseduseduedusedus