Allow a specific PHP file to access a hardened wp-content folder - php

1) My wp-content is hardened with a .htaccess file containing this code:
<Files *.php>
deny from all
</Files>
2) I want (need) to authorize xml-sitemap-xsl.php Otherwise I get this error in my error log: client denied by server configuration: /home/user/mysite.net/wp-content/plugins/wordpress-seo/css/xml-sitemap-xsl.php, referer: http://mysite.net/sitemap_index.xml
3) I think I should add the following code but I’m not sure if it’s the right code nor where to place it:
<Files "xml-sitemap-xsl.php">
Allow from all
</Files>
The thing I want to avoid is a conflict between the deny and allow commands.
Thanks,
P.

This has not much to do with Wordpress and I am not an expert regarding .htaccess, but I believe that what your file is doing is not denying access to your directory by all .php files, rather, denying access to all the .php files inside the directory.
The <Files> directive is used to add specific rules to specific files and, as far as I know, it cascades.
Considering your comment, this should do the trick
<Files *.php>
deny from all
</Files>
<Files "xml-sitemap-xsl.php">
Order Allow,Deny
Allow from all
</Files>

see: Deny direct access to all .php files except index.php

Related

Hide HTML page from the server [duplicate]

I'm trying to hide all the php and some html file in my server folder only by direct call from url... particularly i need to hide the register.html (this file is for users registration), and other php file.. (these php files contain sensitive data for database connection). How can i do this?? Thanks for any help ;)
Create/edit the .htaccess file in the directory where the files are located.
For denying all direct access to all files in the directory, add this:
Deny from all
For restricting only a specific file:
<Files "register.html">
Order Allow,Deny
Deny from all
</Files>
For restricting specific file types, you need to edit the .htaccess file in the webroot folder. This rule will deny access to all .php and .html files in myFolder and its subdirectories.:
RewriteRule ^myFolder/.*\.(php|html)$ - [F,L,NC]
More examples on denying access to file types: https://stackoverflow.com/a/20489058/6817376
You can use this for register.html:
<Files "register.html">
Order Allow,Deny
Deny from all
</Files>
and in the same way for other files.

Showing 404 error while someone tries to access .php files?

How to stop php from executing .php files while being accessed directly. I want to do routing on files and also want to stop users from directly accessing the .php files. Is there anyway to change the .htaccess file to achieve the functionality.
Prevent direct access to php files
write code in .htacess file.
<Directory "^public_html">
<Files "^(*.php|*.phps)">
order deny,allow
deny from all
</Files>
</Directory>
Or
<Files *.php>
deny from all
</Files>

How can i deny direct access from url to all php file and some html in my server folder using htaccess?

I'm trying to hide all the php and some html file in my server folder only by direct call from url... particularly i need to hide the register.html (this file is for users registration), and other php file.. (these php files contain sensitive data for database connection). How can i do this?? Thanks for any help ;)
Create/edit the .htaccess file in the directory where the files are located.
For denying all direct access to all files in the directory, add this:
Deny from all
For restricting only a specific file:
<Files "register.html">
Order Allow,Deny
Deny from all
</Files>
For restricting specific file types, you need to edit the .htaccess file in the webroot folder. This rule will deny access to all .php and .html files in myFolder and its subdirectories.:
RewriteRule ^myFolder/.*\.(php|html)$ - [F,L,NC]
More examples on denying access to file types: https://stackoverflow.com/a/20489058/6817376
You can use this for register.html:
<Files "register.html">
Order Allow,Deny
Deny from all
</Files>
and in the same way for other files.

Disallow view of specific file on Apache

In my site I've some file used by my application where are putted the log information.
For example a log file is "access.log", and i write in by PHP.
If a visitor go to www.mysite.ext/access.log , can see the file and all the information inside it.
How can I disallow this?
thanks a lot
Put this in your .htaccess
<FilesMatch "\.(htaccess|htpasswd|pinc|ini|phps|fla|psd|log|sh)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Will block .log and other common files you don't want people to access.
If you want to do this in Apache, you can add the following to your .htaccess:
<files access.log>
deny from all
</files>

Set some web directories as restricted directories

I am doing PHP web application, with Apache.
There are a few configuration files ( like App.yml) whose content I don't want to expose to users under whatsoever circumstances. Is there anyway that I can tweak my Apache setting so that these files won't be available when hostile users query for them?
The best option would be to place the files outside of your document root.
If that's not possible, you can deny access to them in apache .conf file (or a .htaccess file) with
<Directory /path/to/dir>
Deny from all
</Directory>
You can create a .htaccess file in that directory and place in it
order deny,allow
deny from all
You can also do this if you only want to block one file.
<Files filenamehere>
order deny,allow
deny from all
</Files>

Categories