trante
trante

Reputation: 33996

CakePHP site restricting access to some files with .htaccess

I have following .htaccess file for my CakePHP 2 website.
I put this under webroot folder.

Everyday some bots try to login to my site as a wordpress site. So I need to restrict some file names (wp-login.php) or some directories like Administrator or Cache.

How can I restrict to that files and folders?

<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$">
 Order allow,Deny
 Deny from all
</FilesMatch>

<Files wp-login.php>
  Order allow,deny
  Deny from all
</Files>

#<Directory /Administrator>
#    Order allow,deny
#    Deny from all
#<Directory>

#<Directory /Cache>
#    Order allow,deny
#    Deny from all
#<Directory>


<IfModule mod_rewrite.c>
    RewriteEngine On

    RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
    RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^(.*)$ index.php [QSA,L]
</IfModule>

#set file cache maximum age in seconds
<ifmodule mod_headers.c>
    <filesmatch "\.(ico|flv|jpg|jpeg|png|gif|css|swf)$">
        Header set Cache-Control "max-age=518400, public"
    </filesmatch>
    <filesmatch "\.(js|css)$">
        Header set Cache-Control "max-age=604800, public"
    </filesmatch>
</ifmodule>


# gzip files
<ifModule mod_gzip.c>
  mod_gzip_on Yes
  mod_gzip_dechunk Yes
  mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
  mod_gzip_item_include handler ^cgi-script$
  mod_gzip_item_include mime ^text/.*
  mod_gzip_item_include mime ^application/x-javascript.*
  mod_gzip_item_include mime ^application/javascript.*
  mod_gzip_item_exclude mime ^image/.*
  mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</ifModule>

# gzip files
<ifModule mod_deflate.c>
  <filesMatch "\.(css|js|x?html?|php)$">
    SetOutputFilter DEFLATE
  </filesMatch>
</ifModule>

Edit: I changed redirection code to this. Directory problem solved but CakePHP style Interval server error exception is still exists.

<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$">
Order allow,Deny
Deny from all
</FilesMatch>

<Files "wp-login.php">
  Order allow,deny
  Deny from all
</Files>

<IfModule mod_rewrite.c>
    RewriteEngine On

    RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
    RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

    RewriteRule ^/?(administrator|cache|undefined) - [L,F,NC]

    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^(.*)$ index.php [QSA,L]
</IfModule>

Upvotes: 1

Views: 1405

Answers (1)

Jon Lin
Jon Lin

Reputation: 143966

You can't use the <Directory> blocks inside an htaccess file. I'm not sure why you get a 500 error for wp-login.php, but you need to add some quotes to the declaration:

<Files "wp-login.php">
  Order allow,deny
  Deny from all
</Files>

You can place individual htaccess files in the Administrator and Cache directories that are just:

Order allow,deny
Deny from all

Or you can use something like a rewrite rule:

RewriteRule ^/?(Administrator|Cache) - [L,F]

Upvotes: 3

Related Questions