From 8c1f18f3da42995c34d335f54e42ee534fba87e4 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 2 Jan 2012 11:03:16 -0700 Subject: [PATCH] closes #193 - block access to files that show WordPress version --- inc/h5bp-htaccess | 11 +++++++++++ inc/roots-htaccess.php | 4 +++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/inc/h5bp-htaccess b/inc/h5bp-htaccess index 27fc49c..d96ccc1 100644 --- a/inc/h5bp-htaccess +++ b/inc/h5bp-htaccess @@ -6,6 +6,9 @@ ### This contains the HTML5 Boilerplate .htaccess that can be found at: ### github.com/h5bp/html5-boilerplate/blob/master/.htaccess ### +### Added: +### Block access to access to WordPress files that reveal version information. +### ### Commented out by default: ### Expires headers: Use WP Super Cache or W3 Total Cache (unless using the H5BP build script) ### ETag removal: Use WP Super Cache or W3 Total Cache (unless using the H5BP build script) @@ -494,6 +497,14 @@ AddCharset utf-8 .css .js .xml .json .rss .atom +# Block access to WordPress files that reveal version information. + + Order allow,deny + Deny from all + Satisfy All + + + # If your server is not already configured as such, the following directive # should be uncommented in order to set PHP's register_globals option to OFF. # This closes a major security hole that is abused by most XSS (cross-site diff --git a/inc/roots-htaccess.php b/inc/roots-htaccess.php index 8018aa2..af03e43 100644 --- a/inc/roots-htaccess.php +++ b/inc/roots-htaccess.php @@ -68,6 +68,7 @@ if (stristr($_SERVER['SERVER_SOFTWARE'], 'apache') !== false) { } } + // add the contents of h5bp-htaccess into the .htaccess file function roots_add_h5bp_htaccess($rules) { global $wp_filesystem; @@ -80,6 +81,7 @@ if (stristr($_SERVER['SERVER_SOFTWARE'], 'apache') !== false) { } add_filter('mod_rewrite_rules', 'roots_add_h5bp_htaccess'); + } -?> +?> \ No newline at end of file