Continuing from my last post on using mod_rewrite to block certain actions against a WordPress blog, this brief article decribes how to block PHP script execution from directories where such are not expected to exist.
Note that this is needed only on a platform that does not allow full system level access by the WordPress admin/maintainer. The blog I am dealing with in this example is not mine and I do not have full access to that system. While waiting on the proper system admin on that particular blog, I have made temporary stop-gap changes to block things I don’t like with only .htaccess and mod_rewrite rules. Had I full system admin access I would implement much more elegant protections. Alas, many WordPress blogs are on similar type platforms and this may be useful to stop bad behavior between patches and proper system administration.
Problem: Executable PHP scripts in illegitimate locations
I found a hacker-friendly PHP script in {DOCUMENT_ROOT}/wp-admin/css/{filename}.php. That a file beneath the wp-admin directory can be accessed and executed by anonymous users is baffling to me as a (currently burned out) web application developer, but I’m not trying to second guess the architecture of the WordPress platform itself. In any event, I definitely want to prevent:
- Unauthorized file uploads to sensitive directories
- Execution of scripts in unexpected locations
Since I’m not the system admin of the system this particular blog resides, my ability to limit file uploads is limited. But, using .htaccess and mod_rewrite I can prevent script access and execution in locations I don’t believe there should be such activity.
With this in mind, I set out to stop PHP execution and access of anything other than a CSS (regex: /^.*.css$/) file in the particular directory where the aforementioned hacker-friendly script existed. I will use two techniques to accomplish this:
- Turn off PHP for this directory and any subdirectories
- Disallow access to anything other than a CSS file
I only expect CSS files to be accessed from this directory — and in case someone tries to embed PHP within a CSS file I’m disabling the PHP engine itself from within this directory, thus rendering PHP script as a plain text file (usually a Bad Thing™) and therefore harmless. I added the following .htaccess file to {DOCUMENT_ROOT}/wp-admin/css:
<IfModule mod_php4.c>
php_flag engine off
</IfModule>
<IfModule mod_php5.c>
php_flag engine off
</IfModule><IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
AddDefaultCharset UTF-8RewriteCond %{REQUEST_FILENAME} !^(.+)\.css$
RewriteRule ^(.*)$ / [R=301,NC,L]
</IfModule>
Once again, please direct comments to this post or to me directly: rjamestaylor {at} gmail {dot} com.
By the way, the hacker-friendly script I found is the same one found using this Google search.
About 
That’s a good solution to the problem, but the much greater of them being capable of modifying your web-root allows for them to over-write the .htaccess file preventing their script to execute. If they were able to place that file in there, is there truly a way to prevent them from over-riding any security measures otherwise implemented?
Graham
Excellent point — and one that is not easily solvable without full system administration privileges. If an attacker can write to the file system, all bets are off with regard to .htaccess protections, eh? Thus, this is a stop-gap. Also note, I do not use “taunting” responses in my blocking, only benign, silent responses that will be less obvious to an attacker. Hopefully the script-kiddies won’t figure out that their script is failing because of simple .htaccess entries — at least not until I can get with the actual system admin for the site in question.
With those limitations, what would you suggest doing to improve this technique?
For good measure I added similar
.htaccessfiles towp-admin/imagesandwp-admin/jschanging only the expected files:For
wp-admin/images/.htaccess, I used this regex:For
wp-admin/js/.htaccess, I used this regex: