Chinaunix首页 | 论坛 | 博客
  • 博客访问: 592377
  • 博文数量: 207
  • 博客积分: 10128
  • 博客等级: 上将
  • 技术积分: 2440
  • 用 户 组: 普通用户
  • 注册时间: 2004-10-10 21:40
文章分类

全部博文(207)

文章存档

2009年(200)

2008年(7)

我的朋友

分类: 系统运维

2009-05-04 12:26:42

The .htaccess file allows you to easily improve your blog’s security, reduce bandwith and increase usability. In this post we’re going to look at 26 .htaccess hacks, from A to Z. If you enjoy this post then please grab the

Remember the golden rule:

Always have a backup!

A - WP- Admin

Your can restrict access to wp-admin by IP:

1.order deny,allow
2.allow from a.b.c.d # This is your static IP
3.deny from all

Source - BlogSecurity.net

B - Blacklist

One of the most important things you can do with .htaccess is blacklist IP addresses. You can do so with the following code:

1.<Limit GET POST PUT>
2. order allow,deny
3. allow from all
4. deny from 123.456.789
5.LIMIT>

Source -

C - WP-Config Protection

Your wp-config file contains your database name, your database username and your database password. In other words, you’ll want to keep it secure.

1.# protect wpconfig.phpcode>
2.<files wp-config.php>
3.order allow,deny
4.deny from all
5.files>

Source - Josiah Cole

D - Disable Directory Browsing


1.# disable directory browsingem>
2.<em>Options All -Indexes

Source- Josiah Cole

E - Explanation

I bet if I asked you to explain exactly what .htaccess is, you’d struggle to tell me exactly. To be honest, until I wrote this, I wasn’t totally sure. Wikipedia explains in a nice, jargon free way:

.htaccess ( access) is the default name of -level that allow for decentralized management of configuration when placed inside the web tree.

The Wikipedia article then goes on, with some examples of common usage:

,
.htaccess files are often used to specify the security restrictions for the particular directory, hence the filename “access.” The .htaccess file is often accompanied by a file which stores valid and their .
Changing the page that is shown when a server-side error occurs, for example
Servers often use .htaccess to rewrite long, overly comprehensive URLs to shorter and more memorable ones.
.htaccess files allow a server to control used by to reduce usage, load, and perceived .

F - Feedburner

Feedburner is a blogger’s best friend. Trouble is, directing your feed to it is a bit of a pain. The solution: a .htaccess hack of course!

1.# temp redirect WordPress content feeds to feedburner
2.<IfModule mod_rewrite.c>
3. RewriteEngine on
4. RewriteCond %{HTTP_USER_AGENT} !FeedBurner    [NC]
5. RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC]
6. RewriteRule ^feed/?([_0-9a-z-]+)?/?$ [R=302,NC,L]
7.IfModule>

Source -

G - Get an RSS Feed on a static page

This is quite complicated, so check out the source below. In a nutshell it is a way of getting round using Javascript (because it doesn’t do the SEO any good).

Source - adityaspeaks.com

H - Disable hotlinking

Hotlinking. According to , also known as “leeching, piggy-backing, direct linking, offsite image grabs and bandwidth theft”. In other words it is using an image from another site. If people do it to you, it’ll use up your bandwith. You can stop it with the .htaccess hack below.

1.#disable hotlinking of images with forbidden or custom image option
2.RewriteEngine on
3.RewriteCond %{HTTP_REFERER} !^$
4.RewriteCond %{HTTP_REFERER} !^(www\.)?yourdomain.com/.*$ [NC]
5.#RewriteRule \.(gif|jpg)$ - [F]
6.RewriteRule \.(gif|jpg)$ [R,L]

Source - Josiah Cole

I - Important!

Yeah, ok, I got a bit desperate trying to find something that begins with ‘I’ :P. But, that doesn’t mean this isn’t useful; it’s very important!

Backup. Always, always make sure you have a backup to hand; the slightest mistake will be fatal.

J - Jauntily show the admin’s email address in error message

If something goes wrong it is always helpful for visitors to have an email they can contact. You can display

K - Keep RSS ‘content thieves’ away

It isn’t nice when people steal your content. One of the ways ‘content thieves’ scrape content from sites is by simply using your RSS feed. If you’ve got the scraper’s IP address (which is very easy to do; Google it) then you can use your .htaccess file to block the scraper. The code below redirects a site taking your feed back to another feed (ie their feed). Replace the IP on line two with the offending site’s and the feed on line three with the offending site’s feed.

1.RewriteEngine on
2. RewriteCond %{REMOTE_ADDR} ^69.16.226.12
3. RewriteRule ^(.*)$

Source -

L - Limiting number of simultaneous connections

To limit the number of simultaneous connections to a directory or your entire site, use the below line. If you place it in a directory other than the root directory, then it will limit the connections to that directory and its sub-directories only. Placing it in htaccess file of root directory will implement it for entire site.

1.MaxClients < number-of-connections>

Source - Pix.l|ne

S -  Stop spam!

You block spammers, everyone or just yourself using the code below. See ‘N’ for another spam-stopping technique.

1.Order allow,deny
2. Deny from < incoming -address >
3. Allow from < incoming -address>

Source - pix.l|ne

M - Maintenance

It doesn’t matter what the reason is, at some point in your life you’ll probably want to make maintenance page. Replace “/maintenance.html” with whatever the url of your maintenance page is and put your own IP address on line three.

1.RewriteEngine on
2.RewriteCond %{REQUEST_URI} !/maintenance.html$
3.RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
4.RewriteRule $ /maintenance.html [R=302,L]

Source - CatsWhoCode/Woueb.net

N - Deny no referer requests [stop spam comments!]

Slightly simpler than the spam-stopping solution under ‘S’, what this hack does is utilise the fact that most spammes use bots coming from ‘nowhere’. The hack checks to see where a comment is coming from, and if it is coming from ‘nowhere’ then it blocks it. Simple.

1.RewriteEngine On
2.RewriteCond %{REQUEST_METHOD} POST
3.RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
4.RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
5.RewriteCond %{HTTP_USER_AGENT} ^$
6.RewriteRule (.*) ^{REMOTE_ADDR}/$ [R=301,L]

Source -

O - Force files when opening to ’save as’

If you’re offering files for download then the hack below will be very useful - it forces files to save as instead of opening or streaming.

1.AddTypespan> application/octet-stream .avi .mpg .mov .pdf .xls .mp4

Source -

P - Protect your .htaccess file.

After you’ve spent all that time protecting your blog from .htaccess attack, the last thing you want to do is leave your .htaccess file itself open to attack!The hack below prevents external access to any file with .hta (or any case insensitive variation). Place the code below in your domain’s root .htaccess file.

1.# STRONG HTACCESS PROTECTIONcode>
2.<Files ~ "^.*\.([Hh][Tt][Aa])">
3.order allow,deny
4.deny from all
5.satisfy all
6.Files>

Source: Perishable Press

Q - Quicken your site’s loading time by caching

If you’re paying for what bandwith you use, this article can save you cash!

Source -

R - Redirect to other pages on your site

1.RedirectMatch 301 ^/blog/.*$

Source -

S - Spam!

.htaccess is great for stopping comment spam, and Jeff over at Perishable Press has put together a huge blacklist you can copy and paste that should stop you getting so much spam! .

T - Set the timezone of the server

The hack below lets you set the timezone of the server:

1.SetEnvspan> TZ America/Indianapolis

Source -

U - Remove /category/ from your category URL

Having /category/ in a category URL seems a bit useless. How do I get rid of it, I hear you cry! A .htaccess hack, of course!

1.RedirectMatch 301 ^/category/(.+)$ $1
2.# OR
3.RewriteRule ^category/(.+)$ $1 [R=301,L]

Source:

V - Valiantly automatically fix URL spelling mistakes

Yep. I got desperate. Well what .htaccess trick can you think of that starts with ‘v’?

This neat trick will auto-correct simple URL spelling mistakes

1.<IfModule mod_speling.c>
2. CheckSpelling On
3. IfModule>

Source -

W - Redirect from http://hatever to

Using a 301 (permanent) redirect, you can move all visitors to to

1.# permanently redirect from www domain to non-www domain
2.RewriteEngine on
3.Options +FollowSymLinks
4.RewriteCond %{HTTP_HOST} ^www\.domain\.tld$ [NC]
5.RewriteRule ^(.*)$ $1 [R=301,L]

Source:

X - Make your wp-login.php page xenophobic

Xenophobic: “an intense fear or dislike of forigners or strangers”

I think it is quite appropriate to call your wp-login page xenophobic if you install this hack; it won’t let anyone access it apart from yourself!

1.<Files wp-login.php>
2. Order deny,allow
3. Deny from All
4. Allow from 123.456.789.0
5. Files>

Source -

Y - Easily rename your .htaccess file

What do you do if your server doesn’t like the .htaccess file format? Rename the .htaccess file! You can rename it to whatever you like, using the code below:

1.# rename htaccess filescode>
2. <code>AccessFileName ht.access

Source -

Z - Say zygote in your .htaccess file

So you want to be able to put the word ‘zygote’ in your .htaccess file? You’ll be needing to make a comment. Comments are really easy to do, just use # at the beginning of a line, which tells the server to ignore the line.

1.# see - this is a comment - you can only use letters and numbers and - and _ That is why there are no commas
阅读(2701) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~