krot

Block WP hack

Mar 13th, 2019
272
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.70 KB | None | 0 0
  1. Block WP timthumb hackMySQL injection attempts are one of the most common hacking attacks against PHP websites. If your website is hosted on a dedicated or virtual server, the best solution is to your server hardened with proper mod_security rules. However, if you're on shared hosting, this is not an option. If you now think that it's not possible to protect your website against various hacking methods on shared hosting, you're wrong. Although it's not possible to use advanced strategies to protect your website, you're still able to protect it against hacking attempts using .htaccess rules. To implement such a protection, append your current .htaccess file with the following code, or create a new file called .htaccess, if you don't use any yet, and place it in your website's main folder:
  2. #####################################################
  3. # Script: htaccess Security
  4. #
  5. # Version: 1.0
  6. #
  7. # ### Changelog ###
  8. #
  9. # v1.0 - 2012-02-14
  10. #
  11. #####################################################
  12.  
  13. # No web server version and indexes
  14. ServerSignature Off
  15. Options -Indexes
  16.  
  17. # Enable rewrite engine
  18. RewriteEngine On
  19.  
  20. # Block suspicious request methods
  21. RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
  22.  
  23. RewriteRule ^(.*)$ - [F,L]
  24.  
  25. # Block WP timthumb hack
  26. RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
  27.  
  28. RewriteRule . - [S=1]
  29.  
  30. # Block suspicious user agents and requests
  31. RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
  32. RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
  33. RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
  34. RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
  35. RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
  36. RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
  37. RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
  38. RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
  39.  
  40. # Block MySQL injections, RFI, base64, etc.
  41. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
  42. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
  43. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
  44. RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
  45. RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
  46. RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
  47. RewriteCond %{QUERY_STRING} http\: [NC,OR]
  48. RewriteCond %{QUERY_STRING} https\: [NC,OR]
  49. RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
  50. RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
  51. RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
  52. RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
  53. RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
  54. RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
  55. RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
  56. RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
  57. RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
  58. RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
  59. RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
  60. RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
  61. RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
  62. RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
  63. RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
  64. RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
  65. RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
  66. RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
  67. RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
  68. RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
  69. RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
  70.  
  71. RewriteRule ^(.*)$ - [F,L]
  72.  
  73. # Deny browser access to config files
  74.  
  75. Order allow,deny
  76. Deny from all
  77. #Allow from 1.2.3.4
  78.  
  79. It should work fine with most PHP scripts and has been tested with WordPress and Joomla!. If you want to run your install.php or directly access a config file with your browser, remove the hash symbol at the end of the file before "Allow from 1.2.3.4" and replace "1.2.3.4" with your external IP. .htaccess files will only work with Apache and LiteSpeed.
Add Comment
Please, Sign In to add comment