From 4b81322e4f0f1edd2cbb0e8feed7194b6dd58ae6 Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Tue, 28 Apr 2026 01:21:29 +0200
Subject: [PATCH] harden htaccess

---
 abra.sh       |  2 +-
 htaccess.tmpl | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/abra.sh b/abra.sh
index af6ae4a..798c99a 100644
--- a/abra.sh
+++ b/abra.sh
@@ -2,7 +2,7 @@ export PHP_UPLOADS_CONF_VERSION=v4
 export ENTRYPOINT_CONF_VERSION=v7
 export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
 export MSMTP_CONF_VERSION=v4
-export HTACCESS_CONF_VERSION=v2
+export HTACCESS_CONF_VERSION=v3
 export USERS_CONF_VERSION=v1
 
 wp() {
diff --git a/htaccess.tmpl b/htaccess.tmpl
index 24739f8..9baf114 100644
--- a/htaccess.tmpl
+++ b/htaccess.tmpl
@@ -1,3 +1,15 @@
+# Protect sensitive files from direct access
+<FilesMatch "^(wp-config\.php|\.htaccess|\.htpasswd|readme\.html|license\.txt)$">
+    Require all denied
+</FilesMatch>
+
+# Prevent PHP execution in uploads directory
+<Directory /var/www/html/wp-content/uploads>
+    <FilesMatch "\.(?i:php|phtml|phar)$">
+        Require all denied
+    </FilesMatch>
+</Directory>
+
 {{ if eq (env "MULTISITE") "" -}}
 # BEGIN WordPress