htaccess Files for Multiple Website Domains – hierarchy, structure, relationship

Home Forums BulletProof Security Pro htaccess Files for Multiple Website Domains – hierarchy, structure, relationship

This topic contains 4 replies, has 3 voices, and was last updated by  AITpro Admin 3 years, 6 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #17843

    AITpro Admin
    Keymaster

    .htaccess files are hierarchical/recursive, which means that the .htaccess file in the hosting account root folder will apply its security rules to all subfolders below this folder, unless the subfolder or subfolders have their own .htaccess files. If they have their own .htaccess files then those subfolders will follow the security rules in their own .htaccess files and not the .htaccess rules in the hosting account root folder (see Note below).  The best Site Security Architecture/Design technique is to compartmentalize your security by installing each of your website’s in their own separate folder (on some hosts that is not possible and you have to have a root website installation) so that 1 website’s .htaccess file does not affect another site’s .htaccess file.  This allows you to create separate and unique security rules per site.

    Note:  Some .htaccess directives/code will still be applied to subfolder/subdirectory/Addon/child sites (child folders below the hosting account root folder) if an .htaccess file exists in a hosting account root folder (parent folder).  Example:  If you turn off Security Logging in a subfolder or subdomain site, but have a root website in the hosting account root folder and have Security Logging turned on in the root website then the htaccess ErrorDocument directive from the hosting account root htaccess file will be applied to the subfolder / subdomain site and Security Logging will still occur on a subfolder/subdomain website.  If each site was compartmentalized in its own folder then that would not occur since a parent/child folder relationship would not exist.  If Security Logging is turned on on both the root site and the subfolder/subdomain site then the subfolder/subdomain site is actually using/following the rules/code in its own .htaccess file and not the root website’s htaccess file.

    Example:
    Let’s say that you are using this Brute Force Login attack protection code in your root website’s htaccess file that is located in your hosting account root folder and you do not have any wp-login.php htaccess code/rules in a subfolder site’s htaccess file.  This root .htaccess file code/rules will be applied to that subfolder site’s Login page since the subfolder site is a child folder of the parent site folder in this particular type of folder/hierarchical relationship.  Both the root site and the subfolder site would use/follow this code/rule.

    # Protect wp-login.php from Brute Force Login Attacks based on IP Address
    <FilesMatch "^(wp-login\.php)">
    Order Allow,Deny
    # Add your website domain name
    Allow from example.com
    # Add your website/Server IP Address
    Allow from 69.200.95.1
    # Add your Public IP Address using 2 or 3 octets so that if/when
    # your IP address changes it will still be in your subnet range. If you
    # have a static IP address then use all 4 octets.
    # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1
    Allow from 65.100.50.
    </FilesMatch>

    So let’s now say that you want Brute Force Login protection on the root website, but do not want Brute Force Login protection on the subfolder site. This is how you would achieve that. In your subfolder site’s .htaccess file you would add this .htaccess code below that says allow everyone access your subfolder site’s wp-login.php Login page. The subfolder/child site will follow its own wp-login.php htaccess rule instead of following the root/parent site’s wp-login.php htaccess rule.

    <FilesMatch "^(wp-login\.php)">
    Order Allow,Deny
    Allow from all
    </FilesMatch>

    Visual Structural Example:
    This example shows the hierarchy of several websites installed in folders under a hosting account. Each folder contains a website / is the folder where a website is installed. This example shows the relationship of parent/child folders/websites and how htaccess files/rules will be applied from parent to child folders/websites. The htaccess ErrorDocument directive is an htaccess redirect directive used to redirect errors based on their HTTP Status Response code (the ErrorDocument directive effect/impact on all sites is explained in the Summary).

    Note:  Child folder .htaccess files at the same folder structure level do not affect each other.  Example:  The /affiliates/ and /aitpro-blog/ folders/websites are at the same folder structure level.  Their relationship to each other is NOT parent >>> child.

    Folders (not URL’s):
    /.htaccess – root .htaccess file (ie /public_html/.htaccess) is a parent htaccess file in the Document root folder of the hosting account.
    /api/
    /affiliates/
    /aitpro-blog/
    /exampleA.com/
    /exampleB.com/
    /forum/private/
    /wordpress-testing-website/

    Root .htaccess file in the Document Root folder of the hosting account:
    Note: See this Forum Topic link for where and how to add RewriteRule custom code to BPS Custom Code:  http://forum.ait-pro.com/forums/topic/custom-applications-outside-of-wordpress-3rd-party-apps/#post-13664

    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # Do not apply rules to other child websites &
    # do not log errors for these child sites
    RewriteRule ^api/ - [L]
    RewriteRule ^affiliates/ - [L]
    RewriteRule ^aitpro-blog/ - [L]
    RewriteRule ^exampleA.com/ - [L]
    RewriteRule ^exampleB.com/ - [L]
    RewriteRule ^forum/ - [L]
    RewriteRule ^wordpress-testing-website/ - [L]

    The root website’s htaccess file will not apply the ErrorDocument directive htaccess code/rules to any of these folders/websites since the RewriteRules will rewrite directly to these URI’s instead of continuing to be processed by this root htaccess file/code/rules. In other words, this is a form of a skip/bypass rule for folders/websites of sorts.

    The /forum/ folder/website has a subfolder website that is in a subfolder of the /forum/ folder – /forum/private/. The root .htaccess file in the root of this hosting account / the Document Root folder is not applying its rules to the /forum/ folder. The /forum/ website will use a RewriteRule for the /private/ folder so that rules from the /forum/.htaccess file are not applied to the /private/ folder/website.

    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # Do not apply rules to other child websites &
    # do not log errors for these child sites
    RewriteRule ^private/ - [L]

    Summary: The root website in the hosting account root folder will not apply the ErrorDocument rules to the /forum/ site and the /forum/ site will not apply the ErrorDocument rules to the /private/ site. What this means is that each site is now independently controlling the ErrorDocument directive/rule for that site, which means each site is controlling its own Security Logging. If you did not create RewriteRules like this then the hierarchical nature of htaccess files would apply the root website’s ErrorDocument rule to all child sites meaning even if Security Logging was turned off on a child site then Security Logging would still occur since the parent htaccess file in the root website would be applying the ErrorDocument directive rule to all child websites.

    #28279

    dtyler1
    Participant

    [Topic has been merged into this relevant Topic]
    Another post mentions that if BPS Pro is installed on a domain in the root then all other domains below the root must have their own .htaccess file.  My host requires primary domains be installed (automatically) in the root, so I cannot assign the domain to its own folder and will have to install .htaccess file for all the other non-root domains.

    Would you describe in detail how this is done, and how do I install BPS Pro in non-primary domains?

    #28291

    AITpro Admin
    Keymaster

    Note: email response was replied to already regarding this question.

    #28790

    Zsolt Edelényi
    Participant

    [Topic has been merged into this relevant Topic]
    I have subdomains, and the folder of a subdomain is located in the main domain’s folder. Like this:
    root/main-domain/subdomain/
    1. Is it possible to have only one BPS PRO on the main domain, which controls the subdomains?
    OR
    2. Install BPS Pro on each subdomain, and exlude somehow subdomains?
    Is this understandable? Is there any other solution?

    #28793

    AITpro Admin
    Keymaster

    @ Zsolt Edelenyi – Please read the beginning of this forum topic to get a general idea about htaccess code/files for multiple websites under a hosting account.  A subdomain site is not the same as a subfolder site.  This forum site is a subdomain site. The WordPress installation for the forum site is in a folder named:  /forum/ in the root hosting account folder and a DNS CNAME record (or A record can be used for subdomain sites) has been created that points to this site:  forum.ait-pro.com.  The AITpro Blog site is a subfolder site.  The WordPress installation folder for the AITpro Blog site is in a folder named:  /aitpro-blog/ in the root hosting account folder. The URL is:  ait-pro.com/aitpro-blog/.

    1. Yes, that is possible, but that is a bad site structure/design to use.  Each website should have its own htaccess files in order to better control security specifically for each site individually.

    2. See the help information at the beginning of this forum topic.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.