[wp-trac] [WordPress Trac] #36177: default htaccess should include security measures

WordPress Trac noreply at wordpress.org
Wed Mar 9 08:43:11 UTC 2016

#36177: default htaccess should include security measures
 Reporter:  lelutin      |      Owner:
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  Security     |    Version:
 Severity:  normal       |   Keywords:
  Focuses:               |
 Wordpress has some code that automatically creates a .htaccess file for
 users. This file however includes no security measures whatsoever, meaning
 that users who do not tighten security by themselves are left with an
 install that lets upload files that contain random php code and then
 execute them.

 The real problem is that most wordpress users don't do any security
 tightening by themselves, either because they didn't see it in the install
 procedure or (more likely) because they don't have the knowledge necessary
 to know what measres are appropriate or not.

 This is a bane to all shared hosting providers who will either need to
 figure out ways to tighten security for the users, while not knowing what
 they are or will be hosting.

 This lack of basic security was already pointed out in ticket #9185 seven
 years ago but was discarded for reasons that I believe are not valid:

 blocking php evaluation for all files in wp-content would only affect
 direct php file access through a URL, not inclusion of code by other php
 files. This means that only direct access to files would get blocked for
 some plugins, but plugins should not require users to load plugin-specific
 php files directly in the first place: those files should get included
 through wordpress itself.

 finally, since wordpress has php code that generates these .htaccess
 files, there is no good reason to avoid addding some security measures in
 there. Some measures for htaccess are even suggested in
 https://codex.wordpress.org/Hardening_WordPress . It doesn't make sense to
 not include them by default

 Drupal does include a good host of default security measures to help users
 have a good security level by default. More can be done by users of course
 depending on the requirements, but default drupal installs will not get
 hacked as badly as default wordpress installs frequently do. see:

 What I'm suggesting is the following. Have wordpress include the following
 blocks in generated .htaccess files:

 <IfModule mod_rewrite.c>
   RewriteRule ^wp-admin/includes/ - [F,L]
   RewriteRule !^wp-includes/ - [S=3]
   RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
   RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
   RewriteRule ^wp-includes/theme-compat/ - [F,L]

 <files ~ "^.*\.([Hh][Tt][Aa])">
   order allow,deny
   deny from all

 <files wp-config.php>
   order allow,deny
   deny from all

 <LocationMatch "/wp-content/">
   php_flag engine off
   <files ~ ".php">
     order allow,deny
     deny from all

 note that the above example might need to be adapted to the multisite

 note also that the "order" and "deny" lines are only fit for apache 2.2.
 It's however easy to have both sets for instructions of 2.2 and 2.4 with
 `<IfModule mod_authz_core.c>` blocks (see drupal 8.1 default .htaccess
 file linked above for examples)

Ticket URL: <https://core.trac.wordpress.org/ticket/36177>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list