+ Post New Thread
Results 1 to 2 of 2

Thread: Disallow opening/calling/executing .php file directly

  1. #1
    Administrator
    Join Date
    Mar 2013
    Posts
    2,725

    Disallow opening/calling/executing .php file directly

    How a webmaster can secure his website space by disallowing anyone to directly open .php file, disallow executing .php files?

    Many content management systems use pretty/seo urls (url rewrite) so urls do NOT end with .php, thanks to this one may disallow execution of urls ending with .php in aim to prevent executing any possible malicious files injected into website directories.

    One way to prevent such .php ending urls opening is to set following Apache rule in .htaccess file. (file should be located in the websites root directory):

    # disallow opening/executing .php file directly
    RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /[^\ ]+\.php($|\ )
    RewriteCond %{REQUEST_URI} !index.php
    RewriteRule \.php$ / [F,L]
    this way, no one can open in web browser URL which ends by ".php"

    ".php?=***" and other urls with parameters are not restricted.

    "RewriteCond %{REQUEST_URI} !index.php" means that index.php is excluded from blocking

    Above .htaccess rule also make it impossible to call the .php file via Linux wget, php or curl program.

    After applying above .htaccess rule, browse your website and make sure any of its subpages do not end in 403 error code (forbidden). If it ends up fobidden, you need to whitelist that .php file like index.php was whitelisted in above htaccess rule.

    Following rewrite rules was good for PHPBB forum:
    RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /[^\ ]+\.php($|\ )
    RewriteCond %{REQUEST_URI} !index.php
    RewriteCond %{REQUEST_URI} !feedback.php
    RewriteCond %{REQUEST_URI} !faq.php
    RewriteCond %{REQUEST_URI} !search.php
    RewriteCond %{REQUEST_URI} !memberlist.php
    RewriteCond %{REQUEST_URI} !toplist.php
    RewriteCond %{REQUEST_URI} !thankslist.php
    RewriteCond %{REQUEST_URI} !ucp.php
    RewriteCond %{REQUEST_URI} !mchat.php
    RewriteCond %{REQUEST_URI} !rss.php
    RewriteCond %{REQUEST_URI} !sitemap.php
    RewriteRule \.php$ / [F,L]
    Following rewrite rules was good for Wordpress:
    RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /[^\ ]+\.php($|\ )
    RewriteCond %{REQUEST_URI} !wp-login.php
    RewriteCond %{REQUEST_URI} !wp-comments-post.php
    RewriteRule \.php$ / [F,L]
    The tools to spider your website and return status codes (200,403..):
    http://tools.seochat.com/tools/online-crawl-google-sitemap-generator/

  2. #2


    Is this useful / helpfull? Yes | No
    very good bro go next

+ Post New Thread

Similar Threads

  1. display the output directly to the browser ?
    By Sonamkumari in forum HTML,CSS, Javascript Coding & Programming
    Replies: 1
    Last Post: 06-15-2019, 04:56 AM
  2. Replies: 1
    Last Post: 11-05-2017, 01:40 PM
  3. Replies: 0
    Last Post: 05-10-2016, 12:34 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
 Protected by : ZB BLOCK  &  StopForumSpam