Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi Domi2015,

    Of couse yes, but not perfect.

    Sometimes plugin or theme authers tend to offer their services through a standalone PHP file which doesn’t load WordPress core. A lot of vulnerabilities had been disclosed among those plugins and themes (See https://www.ipgeoblock.com/article/exposure-of-wp-config-php.html). If you want to block the attacks against those type of vulnerabilities, you need server level control.

    So this plugin has a functionality to “Force to load WP core” using .htaccess in order to reduce the risk of such vulnerabilities.

    The difference between with and without this functionality can be found in https://www.ipgeoblock.com/codex/analysis-of-attack-vectors.html (with) and https://www.ipgeoblock.com/codex/analysis-of-attack-vectors.html (without).

    I hope this helps you.

    Thread Starter Domi2015

    (@domi2015)

    Thank you for your answer.

    I’m using configuration with htaccess.conf file, not .htaccess, the htaccess.conf is on /conf/ directory, not under httpd root folder. Its using <Directory> directive to do .htaccess job without separate .htaccess files per folder.

    As describe by following:
    https://wiki.bitnami.com/Components/Apache/htaccess_configuration

    Is this supported by IP Geo Block ?
    Or are there any way I could get IP Geo Block .htaccess settings (for each folder) to the htaccess.conf ? i.e.: to view IP Geo Block .htaccess changes.

    Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi Domi2015,

    Thank you for the information about your server.

    Is this supported by IP Geo Block ?

    Unfortunately no. I have no experience with bitnami. I think we should make like a “ip-geo-block-plugins.conf” and put it outside the document root.

    I’d install bitnami into my local PC and check if the conf file works. I hope you to wait until I finish my checking.

    Thanks.

    Thread Starter Domi2015

    (@domi2015)

    Thank you very much.

    I believe the Apache .htaccess will be replaced by htaccess.conf as the best practice for the better security and performance.

    Great plugin.

    Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi Domi2015,

    I believe the Apache .htaccess will be replaced by htaccess.conf

    You’re right!

    At first, I installed the “Bitnami WordPress Stack” which seems to be very strict to edit any WordPress files for security. (I should use FTP to upload any files to my local machine!!) So once I uninstalled it, then I installed “Bitnami MAMP stack” which makes me free to edit WordPress configuration files :).

    The “Bitnami MAMP stack” also can handle the “htaccess.conf” file. I tested the following conf snippet in my local environment and found it works fine. I installed WordPress under the “htdocs/wordpress/“. I think you can also use it (but please replace the directory and path to fit your installation):

    <Directory "/Applications/mampstack-5.6.22-0/apache2/htdocs/wordpress/wp-content/plugins">
    # BEGIN IP Geo Block
    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteBase /wordpress/wp-content/plugins/ip-geo-block/
    RewriteCond %{REQUEST_URI} !ip-geo-block/rewrite.php$
    RewriteRule ^.*\.php$ rewrite.php [L]
    </IfModule>
    # END IP Geo Block
    </Directory>
    
    <Directory "/Applications/mampstack-5.6.22-0/apache2/htdocs/wordpress/wp-content/themes">
    # BEGIN IP Geo Block
    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteBase /wordpress/wp-content/plugins/ip-geo-block/
    RewriteRule ^.*\.php$ rewrite.php [L]
    </IfModule>
    # END IP Geo Block
    </Directory>

    The following step shows how to test your configuration.

    1. Confirm your IP Geo Block settings to enable “Prevent Zero-day Exploit” for “Plugins area”.
    2. Before you setup your conf file for IP Geo Block, please access to https://example.com/wp-content/plugins/ip-geo-block/samples.php which shows just “0”.
    3. Setup your conf file for IP Geo Block. This will be done by putting the above configurations into your “htaccess.conf”, and then restart your bitnami server.
    4. Access to https://example.com/wp-content/plugins/ip-geo-block/samples.php again. Please note that there’s a case that Varnish prevents showing the fresh page (https://wiki.bitnami.com/Applications/BitNami_Wordpress/How_to_configure_WordPress_with_Varnish). In this case, once you access your home (or clean up your browsers’s cahce) and then access to samples.php again. If you see “Forbiddne” page, then your conf file works fine.

    Good luck!

    Thread Starter Domi2015

    (@domi2015)

    Really helpful. Thank you very much.

    Plugin Author tokkonopapa

    (@tokkonopapa)

    You’re very welcome, at any time!

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Could it work with allowoveride none ?’ is closed to new replies.