- This topic has 5 replies, 2 voices, and was last updated 12 years, 7 months ago by
.
-
Posts
-
I am in the process of hardening my WordPress site. I was working on the .htaccess file in the wp-content folder. I add the following code.
Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpe?g|png|gif|js|html|html_gzip)$”>
Allow from all
</Files>
Just after implementing this, I had a purchase through eStore for a membership (eMember) to my site. The above code seems to have interfered with the interactions of the 2 plugins as the member and customer account were not created. The PayPal payment was successful. What can I add to the code above to open just what is needed for the plugins to work correctly, but protect everything else?
I have removed the .htaccess file to allow things to work in the mean time.
Thanks in advance, Scott
The .htaccess settings cascade from the document root directory, on down. This means that access to files in lower level directories can unintentionally be denied by the settings of an .htaccess file located in a higher level directory. Per the Apache documentation, “.htaccess files should be used in a case where the content providers need to make configuration changes to the server on a per-directory basis.”
I suspect that you are trying to use a single .htaccess file in the document root directory as a catch-all for securing the entire site. A better approach is to leave the one (if it existed) in the document root directory the way you found it, and instead place more restrictive .htaccess files in the directory branches that require tighter restrictions; such as the directories that actually contain your digital products.
I have the standard .htaccess file in the root www directory. I was attempting to secure the wp-content directory with its own .htaccess file. I can certainly add .htaccess to the individual folders and leave the eMember/eStore folders unrestricted. to outside access.
If you store your digital products outside the wp-content directory, in a separate document root directory with its own .htaccess file, there is no reason to explicitly deny access to any of the files in wp-content.
A simple “Options All -Indexes” entry in the document root .htaccess file will be more useful than the entries you’ve posted.
http://frontdeskapp.com/blog/5-htaccess-tricks-every-webmaster-should-know/
Also, you could use eStore’s advanced options for adding more protection to your download folder:
https://support.tipsandtricks-hq.com/forums/topic/download-directory-protection
OK,thanks. I have the “Options All -Indexes” in my main htaccess file in the www folder, will this suffice? I think I may be reading too much into this whole hardening WP thing.
I do not have any digital downloadable content.
- You must be logged in to reply to this topic.