Articles taggués ‘htaccess’

How to Restrict IP Addresses from Accessing your Web Server using .htaccess

07/04/2016 Comments off

If you are running the Apache Web Server or your web hosting provider running Apache based web server, you can use .htaccess configuration file to restrict access to your website. This could be a very important issue from security stand point of view especially if your server is being attacked or hacked from any specific or range of IP addresses.

Now, restricting access method works in two ways. First, you can restrict access to certain IP addresses and allow others. Second, you can restrict access to everyone but few IP addresses only. On this post, I will focus on both method and will try to explain as much as I can.

Restrict Certain IP Addresses

If you want to restrict specific IP addresses from accessing your site, you can use the following lines on your .htaccess file.

order deny,allow
deny from
deny from 654.3.2.1
allow from all

These lines above will block “” and “654.3.2.1” IP addresses from accessing your site. You can add as many IP addresses as you want on this “deny from” list. One interesting fact is, Apache web server gives you lot more flexibility in terms of blocking IP addresses. Take a look at the following lines.

order deny,allow
deny from 123.4.5.
allow from all

If you observe it carefully, you will see that the fourth set of digit is missing on this IP address. It means, if any IP address that matches the first three set of digits will be blocked. So basically anyone with IP address like “” or “” won’t be able to access your site as in both IP address matches with the first three (123.4.5.) sets of digits blocked by the Apache web server.

Allow Specific IP Addresses

Think of about a site that you built for a very specific purpose and for very few people, where you do not want everyone to show up. Apache allows you to do that as well.

For an example, lets assume that you built a site that you want one of your friend to be able to access and his IP address is “”. Simply write the following line on your .htaccess file and you are good to go.

order allow,deny
allow from
deny from all

In this case Apache will block all IP addresses except your friends IP address. This is as simple as it can get and I hope you got the basic idea.

Note: On all of my example I used either “allow from all” or “deny from all” at the bottom, this is very important. You must declare either one of these line based on your requirement or things might get little more complicated.

Also remember that all blocked IP addresses would be forwarded or shown an “403 Forbidden” error message. You can definitely customize this message as well but that’s something I will talk about in another post.


Detect and Block WordPress Brute Force Login Attacks

01/12/2015 Comments off

detect and block wordpress brute forceIf you run a wordpress blog these days, you are likely to experience brute force attacks where nefarious individuals attempt to break in to your website by quickly a list of userids and passwords against your wp-login.php.  Here’s how I automated detection and blocking of WordPress brute force login attacks.

Detecting a WordPress Brute Force Attack

One can typically detect a wordpress brute force attack by parsing through your webserver’s access_log file.  The access_log file records all of the access requests that a web server handles.  A brute force attack typically will have frequent and numerous attempts to the wp-login.php file as shown below:

Example:  In the access_log file below, we detect a brute force login attack on our WordPress blog.  We detected it by noticing frequent and constant requests to the wp-login.php file. - - [11/Sep/2014:02:01:43 +0000] "POST HTTP/1.1" 200 3389 "" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" - - [11/Sep/2014:02:01:44 +0000] "POST HTTP/1.1" 200 3389 "" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" - - [11/Sep/2014:02:01:45 +0000] "POST HTTP/1.1" 200 3389 "" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" - - [11/Sep/2014:02:01:47 +0000] "POST HTTP/1.1" 200 3389 "" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" - - [11/Sep/2014:02:01:49 +0000] "POST HTTP/1.1" 200 3389 "" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" - - [11/Sep/2014:02:01:50 +0000] "POST HTTP/1.1" 200 3389 "" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" - - [11/Sep/2014:02:01:51 +0000] "POST HTTP/1.1" 200 3389 "" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" - - [11/Sep/2014:02:01:52 +0000] "POST HTTP/1.1" 200 3389 "" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" - - [11/Sep/2014:02:01:54 +0000] "POST HTTP/1.1" 200 3389 "" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" - - [11/Sep/2014:02:01:55 +0000] "POST HTTP/1.1" 200 3389 "" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"

Typically in an event like this, I lookup the IP address in the ARIN database as I showed in a previous article:  What Personal Information Can You Get From Your Web Server?  Frequently, I find that the address is from APAC or RIPE addresses.

Lire la suite…

URL rewriting, Apache 2.4 et WordPress: pour ne pas y passer deux heures…

22/09/2015 Comments off

Le URL rewriting (permaliens) sous WordPress nécessite pour la version 2.4 de Apache des paramètres différents de ceux utilisés pour Apache 2.2.

La configuration des fichiers:

  • .htaccess

de votre site Wordpress est spécifique lors du passage à Apache 2.4.

Si vous choisissez /%year%/%monthnum%/%postname%/, il faut préciser le chemin complet dans la configuration du site (

En effet, il faut activer:

 <Directory /var/www/dbsysnet/>
 Require all granted
 Options -Indexes
 AllowOverride All

en n’oubliant surtout pas Require all granted et surtout le « / » à la fin du chemin vers le dossier racine.

Sinon tous les permaliens amèneront à une page « Not found » et même pas celle que vous avez défini pour les erreurs 404 dans votre .htaccess.

Voilà. Ça m’a pris plus de deux heures (si Julien n’avait pas été là, on aurait retrouvé mon cadavre au bout d’une branche…).


Protect WordPress sites with .htaccess

19/10/2014 Comments off


Our job as WordPress users (aside from contributing to the WordPress community) is keeping our installs safe from people we do not want to access our sites. There are numerous plug-ins to help shore up our WordPress defenses such as Login LockDown which records IP address and blocks them after a set number of login attempts which helps against brute force attacks. Lire la suite…

Basic .htaccess for New Projects

12/10/2014 Comments off
# allows php on html
 AddType application/x-httpd-php .html
# Using this code, instead of having to type in, you only need to enter to access that page.
# And the best part is, you can still access the page with .php on the end of it, so no old incoming links or bookmarks become orphaned as a result of this, and everyone is happy.
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteCond %{REQUEST_FILENAME}\.htm -f
 RewriteRule ^(.*)$ $1.htm
# gzip compression.
# html, txt, css, js, json, xml, htc:
 AddOutputFilterByType DEFLATE text/html text/plain text/css application/json
 AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript
 AddOutputFilterByType DEFLATE text/xml application/xml text/x-component
# ------------------------
# CACHING to speed up site
 <FilesMatch "\.(flv|gif|jpg|jpeg|png|ico|swf)$">
 Header set Cache-Control "max-age=2592000"
 <FilesMatch "\.(js|css|pdf|txt)$">
 Header set Cache-Control "max-age=604800"
 <FilesMatch "\.(html|htm)$">
 Header set Cache-Control "max-age=43200"
# webfonts and svg:
 <FilesMatch "\.(ttf|otf|eot|svg)$" >
 SetOutputFilter DEFLATE
# use utf-8 encoding for anything served text/plain or text/html
 AddDefaultCharset utf-8
# force utf-8 for a number of file formats
 AddCharset utf-8 .html .css .js .xml .json .rss
# Custom 400 errors
 ErrorDocument 400 /error.php
# Custom 401 errors
 ErrorDocument 401 /error.php
# Custom 403 errors
 ErrorDocument 403 /error.php
# Custom 404 errors
 ErrorDocument 404 /error.php
# Custom 500 errors
 ErrorDocument 500 /error.php
# Changes to
 RewriteEngine on
 RewriteCond %{HTTP_HOST} !^$
 RewriteRule ^(.*)$$1 [R=301]
# Specifies what file will be the directory index
 DirectoryIndex index.php index.html index.htm
# Unhide the code below to turn on a Site Down Page
 # RewriteEngine On
 # RewriteBase /
 # RewriteCond %{REQUEST_URI} !^/your-domain\.php$
 # RewriteRule ^(.*)$ [R=307,L]
# redirect any variations of a specific character string to a specific address
 # RewriteEngine On
 # RewriteRule ^appsupport [R]
# ---- # The following will redirect to the new page permanently ----#
 # Redirect 301 /index.php
Categories: Système Tags: ,

A Standard .htaccess File with ExpressionEngine

12/10/2014 Comments off
.htaccess files can be a powerful tool for a developer, that is, as long as they are set up properly. What follows is a pretty simple .htaccess template that I use on the majority of my projects.

Secure .htaccess File

<Files .htaccess>
 order allow,deny
 deny from all

This first set of lines essentially prevents others from viewing your htaccess file (and learning all about your crazy redirects).
Lire la suite…

Categories: Système Tags: ,

WordPress: Se protéger des spams sur les commentaires via un fichier .htaccess

28/01/2014 Comments off
Si vous autorisez vos visiteurs à poster des commentaires sur les articles de votre blog, vous avez certainement fait face aux robots spammeurs.Pour aider Askimet à lutter et réduire les attaques des spammeurs, il existe une astuce qui consiste à bloquer l’accès au fichier wp-comments-post.php qui permet de traiter la soumission des commentaires. Le code qui suit est à placer dans un fichier .htaccess à la racine de votre site Internet.

## ******** Pour se protéger contre des commentaires de Spam **********
RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !.** [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) [R=301,L]

Protéger ses images contre le Hotlinking

09/01/2014 Comments off
fonctionnement-hotlinkLe hotlinking est une pratique courante qui consiste, le plus souvent, à afficher une image en utilisant l’adresse URL en provenance d’un autre site où elle est publiée. En fait, au lieu de stocker l’image sur son serveur, le hotlinkeur crée un lien direct vers le serveur d’origine.Principe du Hotlinking en schéma.Cette méthode est totalement illégale puisqu’il s’agit d’un vol de bande passante. En effet, à chaque fois que l’image est visionnée par un internaute, une requête HTTP est envoyée vers le serveur qui l’héberge. Cela ralentit le serveur qui doit fournir les images hotlinkées en plus des images du site d’origine. De plus, cela peut engendrer un coût financier supplémentaire puisque certains hébergeurs prennent en compte le trafic mensuel de données afin d’éviter les abus et de préserver la bande passante.

Pour lutter contre le hotlinking, il suffit de copier le code suivant dans le fichier .htaccess présent à la racine de votre projet. Il permet de remplacer l’image volée par une autre destinée à dissuader le hotlinkeur (par ex:

RewriteEngine On
# Remplacer mywebsite\.com/ par l'adresse de votre site
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mywebsite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
# Remplacer /images/nohotlink.jpg par le chemin de l'image affichée chez les voleurs
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

mod_geoip2 Apache module

09/01/2014 Comments off

The mod_geoip2 module embeds GeoIP database lookups into the Apache web server. It is only capable of looking up the IP of a client that connects to the web server, as opposed to looking up arbitrary addresses.

This module works with Apache 2. Please use mod_geoip with Apache 1.


You may download the latest release of mod_geoip2 or get the latest development version from GitHub. See the included INSTALL file in the tarball for installation details.


The mod_geoip2 module uses the libGeoIP library to look up geolocation information for a client as part of the http request process. This module is free software, and is licensed under the Apache license.

To compile and install this module, you must first install libGeoIP 1.4.3 or newer.

The mod_geoip2 module takes effect either during request header parsing phase or the post read request phase, depending on whether it is configured for server-wide use or for a specific location/directory.

When enabled, the module looks at the incoming IP address and sets some variables which provide geolocation information for that IP. The variables it set depend on the specific GeoIP database being used (Country, City, ISP, etc.). These variables can be set in either the request notes table, the environment or both depending on the server configuration.

Lire la suite…

Rediriger un nom de domaine vers un sous-répertoire

26/11/2013 Comments off

Quand votre nom de domaine pointe vers un hébergement mutualisé, vous n’avez, la plupart du temps, pas le droit de modifier les VirtualHost du serveur Apache.

Virtual Hosts

Virtual Hosts

Pour pallier ce manque, une redirection s’impose mais par un autre biais: l’utilisation de l’URL Rewrting. Lire la suite…