enabling .htaccess subdomain access

Home Forums BulletProof Security Free enabling .htaccess subdomain access

This topic contains 4 replies, has 2 voices, and was last updated by  Bob 6 years, 3 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #7281

    Bob
    Participant

    Greetings,

    Still learning .htacess magic, so while I grasp the instructions (e.g., at https://my.bluehost.com/cgi/help/498)  for DISabling subdomain folder access on a WP site, I would like to know how to do the opposite … that is, edit the (BPS-generated) .htaccess so that it ENABLES/stops prohibiting (browser) access to subdomain folders that exist in the same /public/html/ as my WP install (i.e., I did not give WP its own install folder) … is this permitted/the “right way” to do such a thing?

    What I’ve accomplished so far is to comment out the Options -Indexes line, which at least then shows the Indexed contents of the subdomain folder (yet doesn’t load e.g., default.html … need to figure out why not, as a subsequent related task) …

    But, my concern with that method is whether or not this lessens the security on my WP site (installed in /public/html root) … does it?

    Appreciate any & all feedback on either question,
    Bob

    #7282

    AITpro Admin
    Keymaster

    If your WordPress website is installed in the Document Root folder (/public_html) then BPS will create an .htaccess file in the Document Root folder for this website.

    .htaccess files are heirarchical/recursive, which means that the .htaccess file in the /public_html folder will apply its security rules to all subfolders below this folder, unless the subfolder or subfolders have their own .htaccess files.  If they have their own .htaccess files then those subfolders will follow the security rules in their own .htaccess files and not the .htaccess rules in the Document Root .htaccess file (/public_html).

    The simplest way to do what you want is to add a RewriteEngine Off .htaccess file in the subfolders where you do NOT want BPS to apply its /public_html/.htaccess file rules recursively to those subfolders.

    See this Forum Topic on creating/adding a RewriteEngine Off .htaccess file.

    http://forum.ait-pro.com/forums/topic/rewriteengine-off-htaccess-file/

    Another option is to create custom RewriteRules in your root .htaccess file.  See the Forum Topic link below.

    http://forum.ait-pro.com/forums/topic/i-think-bps-deactivated-incorrectly-how-to-fix/#post-7369

    The “Options -Indexes” means do not show folders and files in an index.  By default WordPress already does this, but you should also keep this directive uncommented in your .htaccess file.  Security-wise it is not that big of a deal.  It is more secure to use Options -Indexes and less secure to not use this directive.

    #7286

    Bob
    Participant

    Thanks Keymaster,

    Just to confirm the steps taken on your guidance…

    1. removed comment for Options -Indexes from root .htaccess
    2. Used the “Roll Your Own” method (not having BPS Pro yet) to create & place the securityoff.htaccess
    3. renamed to .htaccess

    … then gained Access (and no index shown).

    Then worked on the barebones index.php, and got that working.

    Then, did a little more messing around to keep learning .htaccess, eventually getting things screwed up enough so I deleted all .htaccess files from the subfolder/subdomain … and rechecked access just for the heckofit: browser still shows index.php!

    This doesn’t make sense as I expected a 403 since the /public_html/.htaccess would again apply (top-down); apparently not, and more learning awaits!

    Best regards,
    Bob

    #7287

    AITpro Admin
    Keymaster

    If you left a blank index.php file in a subfolder then you would still see that index.php file.  An index file whether it is index.html, index.php, etc. is designed to be recognized as that directory’s/folder’s “index” page and it will be opened by default.

    “If the server is unable to find a file with any of the names listed in its configuration, it may either return an error (generally 404 Not Found) or generate its own index page listing the files in the directory. It may also return a 403 Index Listing Forbidden. Usually this option is also configurable.”

    http://en.wikipedia.org/wiki/Webserver_directory_index

    #7432

    Bob
    Participant

    Understand now … Thank you again!

    Happy 4th,

    Bob

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.