24 Apr

Security Tip for Developers: .htaccess Based Protection Won’t Work on All WordPress Websites

One of the ways we see plugin developers try to stop improper access to files generated by their WordPress plugin is to restrict direct access to the files over the Internet through the use of access restrictions placed in a .htaccess file (as the was the case with a vulnerability we disclosed last week). The problem with this is that this only works if the website is hosted on a web server that utilizes .htaccess files. While they are used by the most popular web server Apache, they are not used by the Nginx, which along with Apache is recommended for use with WordPress, or Microsoft’s IIS, which WordPress supports with its own release of WordPress.

It isn’t clear how widespread usage of different web servers is on websites running WordPress since the WordPress statistics page doesn’t include a breakdown of that. Looking wider, Netcraft found in April that 46% of active websites were using Apache, 20% using Nginx, and 9% were using IIS.

There isn’t a perfect solution for dealing with this. The IIS web server uses web.config files to provide similar functionality to .htaccess files, so you can add that alongside a .htaccess file. Nginx by comparison doesn’t provide a directory level configuration file, so you would need to suggest that the plugin’s user add code to the existing Nginx configuration file.

Another option that can be use in conjunction with doing that is to give the directory a randomly generated unique name. So for example, instead of calling the directory “backups” on one website it would be “backups-fux6sAseben8” and on another it “backups-2haHatrubRac”. That way even if the protections didn’t work someone would have a hard time finding the directory. You could also provide unique names at the file level as well.