Fli
10-08-2015, 07:42 PM
How a webmaster can secure his website space by disallowing anyone to directly open .php file, disallow executing .php files?
Many content management systems use pretty/seo urls (url rewrite) so urls do NOT end with .php, thanks to this one may disallow execution of urls ending with .php in aim to prevent executing any possible malicious files injected into website directories.
One way to prevent such .php ending urls opening is to set following Apache rule in .htaccess file. (file should be located in the websites root directory):
# disallow opening/executing .php file directly
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /[^\ ]+\.php($|\ )
RewriteCond %{REQUEST_URI} !index.php
RewriteRule \.php$ / [F,L]
this way, no one can open in web browser URL which ends by ".php"
".php?=***" and other urls with parameters are not restricted.
"RewriteCond %{REQUEST_URI} !index.php" means that index.php is excluded from blocking
Above .htaccess rule also make it impossible to call the .php file via Linux wget, php or curl program.
After applying above .htaccess rule, browse your website and make sure any of its subpages do not end in 403 error code (forbidden). If it ends up fobidden, you need to whitelist that .php file like index.php was whitelisted in above htaccess rule.
Following rewrite rules was good for PHPBB forum:
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /[^\ ]+\.php($|\ )
RewriteCond %{REQUEST_URI} !index.php
RewriteCond %{REQUEST_URI} !feedback.php
RewriteCond %{REQUEST_URI} !faq.php
RewriteCond %{REQUEST_URI} !search.php
RewriteCond %{REQUEST_URI} !memberlist.php
RewriteCond %{REQUEST_URI} !toplist.php
RewriteCond %{REQUEST_URI} !thankslist.php
RewriteCond %{REQUEST_URI} !ucp.php
RewriteCond %{REQUEST_URI} !mchat.php
RewriteCond %{REQUEST_URI} !rss.php
RewriteCond %{REQUEST_URI} !sitemap.php
RewriteRule \.php$ / [F,L]
Following rewrite rules was good for Wordpress:
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /[^\ ]+\.php($|\ )
RewriteCond %{REQUEST_URI} !wp-login.php
RewriteCond %{REQUEST_URI} !wp-comments-post.php
RewriteRule \.php$ / [F,L]
The tools to spider your website and return status codes (200,403..):
http://tools.seochat.com/tools/online-crawl-google-sitemap-generator/
Many content management systems use pretty/seo urls (url rewrite) so urls do NOT end with .php, thanks to this one may disallow execution of urls ending with .php in aim to prevent executing any possible malicious files injected into website directories.
One way to prevent such .php ending urls opening is to set following Apache rule in .htaccess file. (file should be located in the websites root directory):
# disallow opening/executing .php file directly
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /[^\ ]+\.php($|\ )
RewriteCond %{REQUEST_URI} !index.php
RewriteRule \.php$ / [F,L]
this way, no one can open in web browser URL which ends by ".php"
".php?=***" and other urls with parameters are not restricted.
"RewriteCond %{REQUEST_URI} !index.php" means that index.php is excluded from blocking
Above .htaccess rule also make it impossible to call the .php file via Linux wget, php or curl program.
After applying above .htaccess rule, browse your website and make sure any of its subpages do not end in 403 error code (forbidden). If it ends up fobidden, you need to whitelist that .php file like index.php was whitelisted in above htaccess rule.
Following rewrite rules was good for PHPBB forum:
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /[^\ ]+\.php($|\ )
RewriteCond %{REQUEST_URI} !index.php
RewriteCond %{REQUEST_URI} !feedback.php
RewriteCond %{REQUEST_URI} !faq.php
RewriteCond %{REQUEST_URI} !search.php
RewriteCond %{REQUEST_URI} !memberlist.php
RewriteCond %{REQUEST_URI} !toplist.php
RewriteCond %{REQUEST_URI} !thankslist.php
RewriteCond %{REQUEST_URI} !ucp.php
RewriteCond %{REQUEST_URI} !mchat.php
RewriteCond %{REQUEST_URI} !rss.php
RewriteCond %{REQUEST_URI} !sitemap.php
RewriteRule \.php$ / [F,L]
Following rewrite rules was good for Wordpress:
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /[^\ ]+\.php($|\ )
RewriteCond %{REQUEST_URI} !wp-login.php
RewriteCond %{REQUEST_URI} !wp-comments-post.php
RewriteRule \.php$ / [F,L]
The tools to spider your website and return status codes (200,403..):
http://tools.seochat.com/tools/online-crawl-google-sitemap-generator/