[wp-trac] [WordPress Trac] #36177: default htaccess should include security measures
WordPress Trac
noreply at wordpress.org
Wed Mar 9 08:43:11 UTC 2016
#36177: default htaccess should include security measures
-------------------------+-----------------------------
Reporter: lelutin | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords:
Focuses: |
-------------------------+-----------------------------
Wordpress has some code that automatically creates a .htaccess file for
users. This file however includes no security measures whatsoever, meaning
that users who do not tighten security by themselves are left with an
install that lets upload files that contain random php code and then
execute them.
The real problem is that most wordpress users don't do any security
tightening by themselves, either because they didn't see it in the install
procedure or (more likely) because they don't have the knowledge necessary
to know what measres are appropriate or not.
This is a bane to all shared hosting providers who will either need to
figure out ways to tighten security for the users, while not knowing what
they are or will be hosting.
This lack of basic security was already pointed out in ticket #9185 seven
years ago but was discarded for reasons that I believe are not valid:
blocking php evaluation for all files in wp-content would only affect
direct php file access through a URL, not inclusion of code by other php
files. This means that only direct access to files would get blocked for
some plugins, but plugins should not require users to load plugin-specific
php files directly in the first place: those files should get included
through wordpress itself.
finally, since wordpress has php code that generates these .htaccess
files, there is no good reason to avoid addding some security measures in
there. Some measures for htaccess are even suggested in
https://codex.wordpress.org/Hardening_WordPress . It doesn't make sense to
not include them by default
Drupal does include a good host of default security measures to help users
have a good security level by default. More can be done by users of course
depending on the requirements, but default drupal installs will not get
hacked as badly as default wordpress installs frequently do. see:
https://github.com/drupal/drupal/blob/8.1.x/.htaccess
What I'm suggesting is the following. Have wordpress include the following
blocks in generated .htaccess files:
{{{
<IfModule mod_rewrite.c>
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
</files>
<files wp-config.php>
order allow,deny
deny from all
</files>
<LocationMatch "/wp-content/">
php_flag engine off
<files ~ ".php">
order allow,deny
deny from all
</files>
</LocationMatch
}}}
note that the above example might need to be adapted to the multisite
layout.
note also that the "order" and "deny" lines are only fit for apache 2.2.
It's however easy to have both sets for instructions of 2.2 and 2.4 with
`<IfModule mod_authz_core.c>` blocks (see drupal 8.1 default .htaccess
file linked above for examples)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36177>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list