.htaccess在END标志之后重定向太多而需要全部拒绝命令

时间:2017-07-09 12:23:15

标签: wordpress apache .htaccess redirect http-status-code-403

我正在尝试确保一个合理的WordPress安装,我需要让wp-login.php无法访问,但是最后一个WordPress重写规则总是被调用,即使阻塞规则在.htaccess之上

# BEGIN LETSENCRYPT AND COMODO
RewriteCond %{SERVER_PORT} 80 
RewriteCond %{REQUEST_URI} ^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} ^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteRule .* - [L]
# END LETSENCRYPT AND COMODO


<FilesMatch wp-login\.php>
  Require all denied
</FilesMatch>


#ADDED AS BACKUP PLAN, BUT DID NOT WORK EITHER
RewriteRule wp-login\.php$ - [END,R=403]




# BEGIN WordPress

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /


RewriteRule ^index\.php$ - [L]

# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(.+)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule ^(.+)?(.*\.php)$ $2 [L]

#If I comment this rule the wp-login.php file it's protected
RewriteRule . index.php [L]

</IfModule>

# END WordPress

我尝试使用R = 404或重定向到真实文件而不是R = 403,但最后一条规则始终采用我的重定向

要明确: 我期待一个禁止的页面: https://example.com/wp-login.php  和 https://example.com/subsite/wp-login.php

而是在两种情况下返回404 Wordpress页面

1 个答案:

答案 0 :(得分:0)

好的,我找到了解决方案:

RewriteRule wp-login\.php$ - [END,R=403]

不起作用'因为先前的规则已经改变了状态,所以我们可以使用状态来阻止其他规则覆盖我们的结果:

RewriteCond "%{ENV:REDIRECT_STATUS}" "=403"
RewriteRule . - [L]

我们可以添加规则来捕获多站点配置中的wp-login RewriteRule。* wp-login.php wp-login.php

完整的.htaccess现在是:

# BEGIN LETSENCRYPT AND COMODO
#
# PREVENT SSL REDIRECT FOR CERTIFICATES PROCESS
#

RewriteCond %{SERVER_PORT} 80 
RewriteCond %{REQUEST_URI} ^/[0-9]+\..+\.cpaneldcv$ [OR]
RewriteCond %{REQUEST_URI} ^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ [OR]
RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteRule .* - [L]
# END LETSENCRYPT AND COMODO

#BEGIN PROTECT WP-LOGIN 

#MULTISITE WP
#this rule it's only for multisite install
RewriteRule .*wp-login\.php wp-login.php  


#THIS RULES PREVENT SERVER LOAD ON A wp-login ATTACK
<FilesMatch wp-login\.php>
  Require all denied
</FilesMatch>

RewriteCond "%{ENV:REDIRECT_STATUS}" "=403"
RewriteRule . - [L]
#END PROTECT WP-LOGIN 




#FORCE SSL 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://example.com/$1 [R,L]




# BEGIN WordPress
#
# WORDPRESS MULTISITE WITH CUSTOM SUNRISE SETTING
#

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /


RewriteRule ^index\.php$ - [L]

# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(.+)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule ^(.+)?(.*\.php)$ $2 [L]

RewriteRule . index.php [L]

</IfModule>
相关问题
最新问题