0

I have the following block in my .htaccess file

<IfModule mod_rewrite.c>
     RewriteEngine On
     RewriteRule %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
     RewriteRule .* - [F]
</IfModule>

I would expect this to block the OPTIONS / TRACK and TRACE requests, but yet allow HTTP requests.

When I browse 

 myserver.com

I get 

Forbidden
You don't have permission to access / on this server.

However when I visit 

myserver.com/SubPage

The page loads ? Its a little strange and I would expect more consistency. It is a Wordpress site running on Apache /MySQL implementation.

My .htccess file is as follows

# BEGIN WordPress
<IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteBase /
   RewriteRule ^index\.php$ - [L]
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME} !-d
   RewriteRule . /index.php [L]
   **#RewriteRule %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)**
   **#RewriteRule .* - [F]**
</IfModule>
# END WordPress

<IfModule mod_headers.c>
   Header set X-XSS-Protection "1; mode=block"
   Header always append X-Frame-Options SAMEORIGIN
   Header always set Referrer-Policy "same-origin"
   Header always set Feature-Policy "microphone 'none'; payment 'none'; sync-xhr 'self' http://myserver.com/"
   Header set X-Content-Type-Options nosniff
   Header unset X-Powered-By
   Header unset X-Pingback
   Header unset SERVER
   Header set Referrer-Policy: strict-origin-when-cross-origin 

</IfModule>

# Protect sensitive files
<FilesMatch "^(wp-config.php|license.txt|readme.html)">
   Order Allow,Deny
   Deny from all
</FilesMatch>

# protect phpinfo
<Files php-info.php>
   Order Deny,Allow
   Deny from all
</Files>

# Block User ID Phishing Requests
<IfModule mod_rewrite.c>
    RewriteCond %{QUERY_STRING} ^author=([0-9]*)
    RewriteRule .* http://www.myserver,com/? [L,R=302]
</IfModule>
Welsh King
  • 3,178
  • 11
  • 38
  • 60

0 Answers0