htaccess Image File Protection – FilesMatch

Home Forums BulletProof Security Pro htaccess Image File Protection – FilesMatch

This topic contains 25 replies, has 2 voices, and was last updated by  Amel 6 years, 8 months ago.

Viewing 15 posts - 1 through 15 (of 26 total)
  • Author
    Posts
  • #1879

    Amel
    Participant

    Hello,
    I have a question regarding the pictures and files in the following location: wp-content/uploads/ ….
    I know that we cannot display the content of these folders for example if we use the following link:
    http://mywebsite.com/wp-content/uploads/2013 than nothing will be displayed as we will receive the message:
    Forbidden You don’t have permission to access /wp-content/uploads/ on this server.
    But if we know the file or picture name for example: http://mywebsite.com/wp-content/uploads/2013/some_image.png
    than the picture will be loaded without any problems..
    So my question is, can google crawl the files and pictures inside the folder “Uploads” and display them to the world ?
    Or it`s only possible to display IF we know the file or picture name… ?
     
    Thank you
    Best regards
    Amel

    #1881

    AITpro Admin
    Keymaster

    Google follows/crawls links/URLs to find image files, posts or pages.  When you create links/URLs to image files the full link/URL is the entire path to that image file including the actual image file name.  If you created a “bad” link/URL by accident, such as mywebsite.com/wp-content/uploads/2013 then Google will not find an image file at that location because the URL is not pointing to any image file.

    But let’s say for example your intention is to have images indexed and added to Google Images and you do not have any links pointing to them.  What you would do is create another folder under your website root folder / Document Root folder and create an index of those images.  Then you would only need to create one link to that index in order to have all of you image files crawled, indexed and added to Google Images.

    #1885

    Amel
    Participant

    thank You for quick response, I understand what You mean.
    But I am in this situation, I have a script or better said a plugin that protects the contents in the post and pages for example:
    [protected content group=private]
    all content inside the private group will only be displayed to the member of this group
    [protected content group/]
    however, the protected content will also contain the pictures which are taken from the media library, using the link as below:
    http://mywebsite.com/wp-content/uploads/2013/mypicture.png
    Than the google will not be able to see the content of this post and they will not be able to see the link it self either
    because it`s located within protected code..
    so my question was can google crawle the picture via this link: http://mywebsite.com/wp-content/uploads/2013/mypicture.png
    can we protect it via BPS using htaccess perhaps ? hmm not sure because we cannot add an htaccess file like this:
    Order deny,allowDeny from all
    this one will deny file access to everyone..
     

    #1886

    AITpro Admin
    Keymaster

    Yes, if you have a members only / private area of your site that is restricted then Google will not be able to crawl that area.

    Yes, you can protect/block access to individual image files with the Uploads Anti-Exploit Guard .htaccess file.

    You would need to create a new additional FilesMatch section of code in your UAEG .htaccess file like this below and add your image file names and your actual domain name in place of example.com.

    http://forum.ait-pro.com/forums/topic/images-protection/page/2/#post-1934

    [code removed - it did not work - see link above for working code]
    #1887

    Amel
    Participant

    ok, that’s what I tough..
    nice example, You should perhaps add this in BPS so we have an htaccess file of the content You wrote above and place that file in
    this location: wp-content/uploads
    But is it possible to match any or better said all of the files and folders within “uploads” folder, so we do not need to specify one by one image
    or file ?
    reconfigure this line:

    <FilesMatch "(ImageFileName1\.png|ImageFileName2\.png)$">

    in this case we do not bother which files and folders we have in the media library as all of the files and folders will be only allowed
    to load from certain domain …

    #1888

    AITpro Admin
    Keymaster

    Yep I will add it as commented out example code, but most folks want the exact reverse thing and want their images files to be crawled and indexed. 😉

    If you do not want any image files to be viewable / allowed from any other domain then yours then you would add this new code to your UAEG .htaccess file.  DO NOT try and add these file extensions to the existing FilesMatch code that protects against dangerous file extensions.  The code says to not allow any dangerous file extensions PERIOD whether or not it is your domain or not.

    http://forum.ait-pro.com/forums/topic/images-protection/page/2/#post-1934

    [code removed - it did not work - see link above for working code]
    #1889

    Amel
    Participant

    thank You, You’re the king of the htaccess files no doubt about that 🙂

    http://forum.ait-pro.com/forums/topic/images-protection/page/2/#post-1934

    [code removed - it did not work - see link above for working code]

    using this method I can deny google to crawl the files and images because, I will use the protected contend in the posts as below:

    [protected content group=private] 
    all content inside the private group will only be displayed to the member of this groupthe image from media library http://mywebsite.com/wp-content/uploads/2013/image1.png 
    [protected content group/]

    than as You can see, the google wil NOT be able to read this image link so this is ok, than their indexer engine will look what’s in this folder: http://mywebsite.com/wp-content/uploads/2013/ and they will probably find a lot of picture which are not useful for them as they can only be opened from my domain … right ?

    #1891

    AITpro Admin
    Keymaster

    Google or any other domain will get a 403 Forbidden Error if they somehow follow a link to an image file that is forbidden by the FilesMatch code.

    #1894

    Amel
    Participant

    nice :):) the real reason why I will do this is the screen-shots pictures which shows the real ip addresses, customer name etc…
    instead of editing a 1000’s of screen-shots it’s much easier to prevent google and others to direct link these pictures, and
    in addition to this protection I use the group protection on the posts where these screen-shots are located… only certain users
    will have access to them …
    Thank You very much for helping !!

    #1905

    Amel
    Participant

    You wrote these two examples above for the htaccess file to protect the images and files from google-crawl and loading from other domains than one specified in the htaccess file.   The first htaccess file example allows us to manually select which images/files will be protected from google-crawl and loading from external domains. The second htaccess file example allows us to lock down entire wp-content/uploads So the installation of this htaccess file, I assume it`s enough to just upload the htaccess file on to this location: wp-content/uploads  ?    
    In this case what happens if the WP creates a new directory for example: wp-content/uploads/2013/02  will this htaccess file located in the
    wp-content/uploads protect these sub-directories as well ?
     
    before uploading of this htaccess file, do I need to turn off the ARQ than upload the htaccess file, so take a backup in BPS than turn the ARQ back on after it`s backed up ?   Is this the right steps for the installation ? I need to know this in order to not mess up the BPS installation  
    Thank You !

    #1916

    Amel
    Participant

    Oh, I see for the installation purpose, we already have an htaccess file from BPS in the location: wp-content/uploads so I assume it’s enough to just modify this one and add the code You wrote above….

    BTW, I will keep in mind about this You wrote above:
    DO NOT try and add these file extensions to the existing FilesMatch code that protects against dangerous file extensions.  The code says to not allow any dangerous file extensions PERIOD whether or not it is your domain or not.

    But when I add this code in tha htaccess file, which line I have to locate in the current htaccess file and add these You wrote above ?

    #1919

    Amel
    Participant

    just tried to add the htaccess code you wrote above on to htaccess file located in the wp-content/uploads and I was “locked” out I was not able to display the picture even from mu own domain .. not sure why ? the code works as it locked me out 🙂

    #1922

    AITpro Admin
    Keymaster

    Yep then just change the example domain named I used: example.com to your actual domain name.

    I thought of something even simpler that you could do instead and this would also work for anyone else who does not want good bots / search engines to index their uploads image files.

    You would add this code to your Theme’s functions.php file. Add the name of the folders (you can also add virtual folders that do not really exist that WordPress is rewriting. – “virtual folder paths) you do not want Google to index.

    // WordPress Virtual robots.txt additions
    add_filter( 'robots_txt', 'v_robots', 10, 2 );
    
    function v_robots( $output, $public ) {
    	
    	$output .= "Disallow: /uploads/" . "\n";
    		
    	return $output;
    }
    
    #1923

    Amel
    Participant

    I changed the example.com to my actual domain name yes I remembered that …
    hm someone told me once that robots.txt is not a secure option as it’s an text file and can be hacked and content can be changed…
    Therefore I would like to make it working with an htaccess file….

    Thank You very much for quick responses !!

    #1924

    AITpro Admin
    Keymaster

    Here are the “Order” rules.

    # *Match* -------------------- *Allow,Deny result* -------------------- *Deny,Allow result*
    # Match Allow only ----------- Request allowed ------------------------ Request allowed
    # Match Deny only ------------ Request denied ------------------------- Request denied
    # No match ------------------- Default to second directive: Denied ---- Default to second directive: Allowed
    # Match both Allow & Deny ---- Final match controls: Denied ----------- Final match controls: Allowed

    So maybe you need to use the Google domain name explicitly or maybe your need to reverse the “Order” condition.

    http://forum.ait-pro.com/forums/topic/images-protection/page/2/#post-1934

    [code removed - it did not work - see link above for working code]

    Regarding using a robots.txt file or virtual robots code.  Good bots follow the rules in a robots.txt file.  Bad bots do whatever they want and will ignore a robots.txt file.

Viewing 15 posts - 1 through 15 (of 26 total)

You must be logged in to reply to this topic.