The WP readme.html file is not .htaccess protected

[silas88]

I just noticed that for some reason I get “The WP readme.html file is not .htaccess protected” in my BPS Security Status Screen even though I have in my htaccess .

<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
Order allow,deny
Deny from all
Allow from 11.222.333.44
</FilesMatch>

I don’t recall this being there before. Recent changes that I have made are that I am now using Autooptimize + WP Super Cache (with a preloaded cache) + Cloudflare. Autooptimize has html minify enabled.

I only noticed this when I tried adding phpinfo.php to the above code so that I could keep that file in the directory and block others from accessing it. That didn’t work I was getting 403’s.

Also a separate completely unrelated note that I also WP DB Driver and my mysql driver is pdo_mysql but the BPS System Info Screen shows “SQL Mode: Not Set”.

[AITpro Admin]

http://forum.ait-pro.com/forums/topic/read-me-first-free/

The check for a valid BPS .htaccess file is done by looking for a couple of things in the .htaccess files.  If you have added .htaccess code above…

#   BULLETPROOF .49 >>>>>>> SECURE .HTACCESS

…then this will cause the check to display this error:  The WP readme.html file is not .htaccess protected. You would need to move your .htaccess code below the top BulletProof version check line of code.

SQL Mode has nothing to do with pdo_mysql.  If you are seing pdo_mysql errors then look at these forum topic links below.

http://forum.ait-pro.com/forums/topic/php-errors-unable-to-load-dynamic-library-pdo_mysql-so/

http://forum.ait-pro.com/forums/topic/pqsql-so-error/

[silas88]

Hi ATIpro,

Thanks for responding so quickly.

First, the pdo_mysql was only a side note. I thought as SQL mode was “not set” it might have been you weren’t checking for pdo. Otherwise I have no problems with pdo_mysql. You were quite correct – the readme problem was due to a couple of blank lines that I had introduced in a manual edit of my htaccesss. I never thought to look there for the cause of the problem. Thanks!

I haven’t been able to figure out why I couldn’t allow my ip address to view phpinfo when I included it in that FilesMatch section. I think it my be due to my IP address appearing to come from Cloudflare’s servers (although the IP address in HTTP_X_FORWARDED_FOR is my correct address)….

>>>>>>>>>>> 403 GET or Other Request Error Logged - 17 August 2013 - 18:42 <<<<<<<<<<<
REMOTE_ADDR: 11.22.223.33 (my ip address)
Host Name: 99.xx.xxx.xx.staticxxxxx.xxx.xx
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 11.22.223.33 (my ip address)
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /readme.html
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.2; rv:23.0) Gecko/20100101 Firefox/23.0

[AITpro Admin]

The SQL Mode check is a generic check and is not a security feature.

http://stackoverflow.com/questions/5273726/how-to-change-sql-mode-at-runtime

It is really not all the important to forbid external access to the readme.html file so whether you choose to allow or not allow this either way is ok.

[silas88]

OK, thanks for the info on SQL Mode.

re my other problem, it was all down to the fact that I was behind a proxy / cdn (Cloudflare)..

This worked for me

SetEnvIf X-FORWARDED-FOR 11.222.333.44 allow
<FilesMatch "^(wp-config\.php|phpinfo\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
Order Deny,Allow
Deny from All
Allow from env=allow
</FilesMatch>

I had to change the order of “Order” to Deny,All after reading this http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order

[silas88]

I just figured out that I can reuse that variable later

# Protect wp-login.php from Brute Force Login Attacks based on IP Address
# http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
<FilesMatch "^(wp-login.php)">
Order Allow,Deny
Allow from mydomain.com 11.222.333.44 env=allow
Allow from 11.222.333
</FilesMatch>

So I am feeling very smug now, so hopefully you won’t tell me that I have messed something up!

[AITpro Admin]

Nice solution!  I think to be 100% code correct you are supposed to escape the dots.  And I see that on the Apache site the examples they provide wrap SetEnvIf in double quotes and use the caret ^.

SetEnvIf X-FORWARDED-FOR "^11\.222\.333\.44" allow

[silas88]

Yes, I was pleased with it but I missed the fact that it needs to be a regex.

I did some more research and unfortunately it seems it is fairly simply to forge X-Forwarded-For so it can’t be used as a reliable method for authentication.

I will go with SetEnvIF X-Forwarded-For "^11\.222\.333\.44$" – apparently there can be more than one address there and the client is the first one.

I can use something similar with your code for wp-login brute force protection. I have other lines of defense against brute force so this is one extra.

Also, I found this example in the Apache documentation which I figured could be used to prevent out of hours access to wp-login.

RewriteEngine On
 RewriteCond %{TIME_HOUR} >20 [OR]
 RewriteCond %{TIME_HOUR} <07
 RewriteRule ^/fridge - [F]

Tomorrow I need to check why my image hotlinking protection is not working. 🙁

[AITpro Admin]

Everything can be forged/faked.  😉

Got some HOT new HotLink Protection code here:  http://forum.ait-pro.com/forums/topic/hotlink-protection-do-not-block-google-bing-or-yahoo/

The “HOT” part is this HotLink Protection code does not mess with Google, Bing or Yahoo images, since you want them to index your images. 😉

Yep, I have looked at the time based conditions before, but have not played around with them myself.

[silas88]

Thanks for the Hot Hotlink Protection code 🙂 Looks like some good improvements to the standard code.

I tried to debug the basic hotlink protection code for a while but I am going to give it a break for now. I think I am running into the same kind of Referrer issues but I haven’t found a way to check the referrer apart from the error logs (it doesn’t show up in dev tools), but if I do have referrer issues there will be problems in lots of other places in htaccess (e.g. TIMTHUMB).  🙁

I even tried #RewriteCond %{HTTP_REFERER} !^$ but my test images are still coming through. Now I figure that the Cloudflare proxies have it stored in cache so it could be pulled there also. Maybe I could disable the cache but that kind of defeats the whole purpose of Cloudflare.

Having said that I don’t think I have any pictures that are worth stealing even for the bandwidth 🙂

Here is where I got to with the other code sections I have been playing with..

# DENY BROWSER ACCESS TO THESE FILES
SetEnvIF X-Forwarded-For "^11.222.333.44$" allow
<FilesMatch "^(wp-config.php|phpinfo.php|php.ini|php5.ini|readme.html|bb-config.php)">
Order Deny,Allow
Deny from All
Allow from env=allow

# IMPORTANT!!! DO NOT DELETE!!! the END WordPress text below
# END WordPress

# CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
# Modified Protect wp-login.php from Brute Force Login Attacks based on IP Address
# http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
<Files "wp-login.php">
Order Allow,Deny
Allow from mydomain.com 11.222.333.44 env=allow

# define access times - note these are in the servers' time zone
RewriteEngine On
RewriteCond %{TIME_HOUR} >23 [OR]
RewriteCond %{TIME_HOUR} <08
RewriteRule ^wp-login.php - [F]

# add below lines to /wp-admin/.htaccess
SetEnvIF X-Forwarded-For "^11.222.333.44$" allow
order deny,allow
deny from all
allow from env=allow

I haven’t tested the TIME_HOUR section yet.

And finally I realized I needed to include the Bing & Google webmaster id files in my www rewrite…

You might find this article interesting http://www.serverwatch.com/tutorials/article.php/1132731/Keeping-Your-Images-from-Adorning—Other-Sites.htm – it has some interesting snippets on logging.

That’s enough of htaccess for me for a while. 🙂

[John]

[Topic has been merged into this relevant Topic]

sorry if it’s repeated question but I didn’t understand so please help:

1) I was able to see readme.html in browser even though I have following in .htaccess:

<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
Order Allow,Deny
Deny from all
#Allow from 88.77.66.55
</FilesMatch>

WHY IS THAT?

2) I also want to add license.txt inside it above code or as follwing: (How to do it?)

<files license.txt>
order allow,deny 
deny from all
</files>

[AITpro Admin]

@ John – See this reply above in this Forum Topic:  http://forum.ait-pro.com/forums/topic/the-wp-readme-html-file-is-not-htaccess-protected/#post-8682

[Author]

Posts