Sign in to follow this  
Followers 0
anuj.analytics

Advanced protection for .htaccess

5 posts in this topic

Account Plan: Personal 500
Your Domain: analytics.ga
Browser: Chrome
System (Mac/PC/Linux): PC
Nature Of Problem: Security Threat
Error you are Getting [Resolved by Eli]: The site links were giving a "Page Not Found" (404) and the entire site rendered as a text-only document.
 

Problem:

I recently had some terrible downtime due to a simple code injection done by a hacker that appended an HTTP_REFERRER RewriteCond to my .htaccess file.

(Thanks to Eli for drawing my attention to the file. This has been an eye-opener).

 

Just 2 lines of code killed everything on the site. I was thinking all the time that it was a security plugin causing the problem, but it was someone who managed to edit my .htaccess file using some script or other method by which he could bypass all my security measures. It's very dangerous for me as I'm in a data-oriented profession and I'm supposed to be able to combat this stuff, but so far to no avail. Did some reading around but couldn't find more than the following code and variations thereof that use regular expressions to match filenames:

<files .htaccess>

order deny,allow

deny from all

</files>

I don't think such a measure will work very well against automated scripts. Is there any way to seal access completely  - i.e. no one can touch the .htaccess file in any way, front-end or back-end?? This has to be done in such a way that pages on loading are able to execute all instructions in .htaccess, otherwise the site won't load in the first place.

Edited by anuj.analytics

Share this post


Link to post
Share on other sites

You could try removing write permissions to the file. But, the most likely cause of this is installing bad plugins in wordpress. Only install plugins that are highly rated and tested.

Share this post


Link to post
Share on other sites

You could try removing write permissions to the file. But, the most likely cause of this is installing bad plugins in wordpress. Only install plugins that are highly rated and tested.

Agree on the plugins part. There are some that break more than they make.

If I set permissions to "444", can the file still be injected with code?

Or is there a way to rename it from .htaccess to something else and inform cPanel to adjust to the new name (read from it)? That way a hacker or script targeting a file named - .htaccess / .HTACCESS / .HTAccess / .HTaccess,..... or any other variation won't know the filename and wouldn't be able to inject code into it.

 

Update:

I FOUND SOMETHING

http://www.electrictoolbox.com/change-htacces-filename-apache/

Given that .htaccess is a file extension and not a filename, I don't know what impact renaming the extension / name.extension will have...

As I see it, the <virtualhost> settings he is referring to on the linked page might do the trick. I don't know if this has to be done by me or by the host (WHM or similar). Either way, it would not be safe to rename it as .htaccess.something as spammers will scan for any file matching the .htaccess string pattern in the name or extension.

What do you say Eli?

Edited by anuj.analytics

Share this post


Link to post
Share on other sites

If you need to use the .htaccess for whatever reason it needs to be named what it is otherwise it wont be able to work. It should be safe as-is.

Share this post


Link to post
Share on other sites

Given your amazing service, I know I can count on you so I'll leave it as it is... protecting it is getting quite complicated anyway.

Edited by anuj.analytics

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0