<input type="checkbox" id="" disabled=""

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Usually we'd do something like this: <div class="highlight highlight-source-apache

Security: Disable Directory Listing about appside HOT 4 CLOSED

cloudsidedev commented on May 25, 2024

Security: Disable Directory Listing

from appside.

Comments (4)

ivomarino commented on May 25, 2024 1

@swissspidy take a look at https://github.com/ttssdev/appflow/blob/master/playbooks/roles/web/templates/wp_bedrock/htaccess.j2 -- we provision this as default .htaccess. When we set htaccess_ithemes_security_enable: true for a vhost in conf_vhosts_common we also enable all the iThemes Security Config Details which should include what you need, take a look at the file.

from appside.

ivomarino commented on May 25, 2024

Disable Directory Listing everyhwere has been implemented with 68b9e2f, verified by @swissspidy.

from appside.

ivomarino commented on May 25, 2024

@swissspidy any code for Disallow executing PHP directly in wp-includes and web/app?

from appside.

swissspidy commented on May 25, 2024

Usually we'd do something like this:

<Directory "/app/uploads/">
<Files "*.php">
Order Deny,Allow
Deny from All
</Files>
</Directory>

But apparently, we can easily set this via iThemes Security. As long as the current .htaccess from that plugin is correct, it should work. It does this by adding new rewrite rules:

<IfModule mod_rewrite.c>
	RewriteEngine On

	# Protect System Files - Security > Settings > System Tweaks > System Files
	RewriteRule ^wp-admin/install\.php$ - [F]
	RewriteRule ^wp-admin/includes/ - [F]
	RewriteRule !^wp-includes/ - [S=3]
	RewriteRule ^wp-includes/[^/]+\.php$ - [F]
	RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
	RewriteRule ^wp-includes/theme-compat/ - [F]

	# Disable PHP in Uploads - Security > Settings > System Tweaks > PHP in Uploads
	RewriteRule ^app/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)$ - [NC,F]

	# …
</IfModule>