harden htaccess

2026-04-28 01:21:29 +02:00
parent 563c691172
commit 4b81322e4f
2 changed files with 13 additions and 1 deletions
--- a/abra.sh
+++ b/abra.sh
@ -2,7 +2,7 @@ export PHP_UPLOADS_CONF_VERSION=v4
 export ENTRYPOINT_CONF_VERSION=v7
 export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
 export MSMTP_CONF_VERSION=v4
-export HTACCESS_CONF_VERSION=v2
+export HTACCESS_CONF_VERSION=v3
 export USERS_CONF_VERSION=v1

 wp() {
--- a/htaccess.tmpl
+++ b/htaccess.tmpl
@ -1,3 +1,15 @@
+# Protect sensitive files from direct access
+<FilesMatch "^(wp-config\.php|\.htaccess|\.htpasswd|readme\.html|license\.txt)$">
+    Require all denied
+</FilesMatch>
+
+# Prevent PHP execution in uploads directory
+<Directory /var/www/html/wp-content/uploads>
+    <FilesMatch "\.(?i:php|phtml|phar)$">
+        Require all denied
+    </FilesMatch>
+</Directory>
+
 {{ if eq (env "MULTISITE") "" -}}
 # BEGIN WordPress