iThemes Security on my .htaccess although plugin is not installed

  • Hi guys,

    I was adding some stuff to my htaccess and noticed that there are several lines by iThemes Security.

    I don’t have the plugin installed (neither I had it installed before). How is this possible?

    This is the code I found:

    # BEGIN iThemes Security
	# BEGIN Hide Backend
			# Rules to hide the dashboard
			RewriteRule ^(/)?entrance/?$ /wp-login.php [QSA,L]

	# END Hide Backend
	# BEGIN Tweaks
		# Rules to block access to WordPress specific files
		<files .htaccess>
			Order allow,deny
			Deny from all
		</files>
		<files readme.html>
			Order allow,deny
			Deny from all
		</files>
		<files readme.txt>
			Order allow,deny
			Deny from all
		</files>
		<files install.php>
			Order allow,deny
			Deny from all
		</files>
		<files wp-config.php>
			Order allow,deny
			Deny from all
		</files>

		<IfModule mod_rewrite.c>
			RewriteEngine On

			# Rules to protect wp-includes
			RewriteRule ^wp-admin/includes/ - [F]
			RewriteRule !^wp-includes/ - [S=3]
			RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php
			RewriteRule ^wp-includes/[^/]+\.php$ - [F]
			RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
			RewriteRule ^wp-includes/theme-compat/ - [F]

			# Rules to prevent php execution in uploads
			RewriteRule ^(.*)/uploads/(.*).php(.?) - [F]

			# Rules to block suspicious URIs
			RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
			RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
			RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
			RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
			RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
			RewriteCond %{QUERY_STRING} http\:  [NC,OR]
			RewriteCond %{QUERY_STRING} https\:  [NC,OR]
			RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
			RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
			RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
			RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
			RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR]
			RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
			RewriteCond %{QUERY_STRING} ^.*(request|concat|insert|union|declare).* [NC]
			RewriteCond %{QUERY_STRING} !^loggedout=true
			RewriteCond %{QUERY_STRING} !^action=jetpack-sso
			RewriteCond %{QUERY_STRING} !^action=rp
			RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
			RewriteCond %{HTTP_REFERER} !^https://maps\.googleapis\.com(.*)$
			RewriteRule ^(.*)$ - [F]
		</IfModule>
	# END Tweaks
# END iThemes Security

    Any ideas?

    https://www.ads-software.com/plugins/better-wp-security/

Viewing 1 replies (of 1 total)
  • evis

    (@evertramos)

    Have you ever installed any security plugins?

    Could you please share here which plugins you have used?

    They might reused some code from iThemes… not sure if this is ok…

Viewing 1 replies (of 1 total)
  • The topic ‘iThemes Security on my .htaccess although plugin is not installed’ is closed to new replies.

Tags