• Resolved barnez

    (@pidengmor)


    Hi,

    I’m try to harden my WordPressa installing and am now at the point where I’m placing htaccess files outside of the root directory to improve security.

    I have placed the following code in my wp-content/uploads and wp-content/includes folders, and all is well:

    <Files *.php>
    deny from all
    </Files>

    The problem is when I place the following as an .htaccess file in the wp-content folder:

    Order deny,allow
        Deny from all
        <Files ~ ".(xml|css|jpe?g|png|gif|js)$">
        Allow from all
        </Files>

    When I try to view my blog page with snippits and thumbnail images, the thumbnail images don’t show themselves and the alt text is visible.
    You can see the issue here. It seems strange as the images are jpegs, which are being allowed through the htaccess rules in wp-content, but the thumbnail won’t show unless I remove the code.

    Any ideas would be great at this point.

    Cheers,
    Barnez

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter barnez

    (@pidengmor)

    After a real nightmare with error codes being thrown up in the cPanel logs and 520 server connection errors, I have removed these three htaccess files and am back to relying on the main root’s htaccess file and a combination of Wordfence for security scans and NinjaFirewall for firewall and login protection.

    https://www.ads-software.com/plugins/wordfence/
    https://www.ads-software.com/plugins/ninjafirewall/

    Hi Barnez,

    You likely need to white list the PHP file that generates the thumbnails. Are you using something like timthumb?

    thanks,

    Thread Starter barnez

    (@pidengmor)

    Hi Daniel,

    Thanks for the input. You’re right, the thumbnails are being generated by timthumb.php

    As the site is now running as normal I will look into white listing the script from the uploads and wp-content htaccess files. I imagine that means adding timthumb.php to the Allow from all exclusions rule: <Files ~ “.(xml|css|jpe?g|png|gif|js)$”>

    Cheers,

    Thread Starter barnez

    (@pidengmor)

    I tried adding this as an .htaccess file in the folder containing the timthumb.php script, but it didn’t help:

    <Files timthumb.php>
        Order Allow,Deny
        Allow from all
    </Files>

    Thread Starter barnez

    (@pidengmor)

    Now resolved ??

    The white list code for the directory containing the timthumb.php script should read:

    <Files timthumb.php>
      Satisfy Any
      Allow from all
     </Files>
Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘problems with diplaying images after placing htaccess in wp-content folder’ is closed to new replies.