Wordpress: Adding Security
Regarding this answer, is correct to add the file debug.log in this way?
RewriteRule (?:debug|readme|license|changelog|-config|-sample)\.(?:php|md|txt|html|log?) - [R=404,NC,L]
Kind Regards
Yes, basically debug.log, but without deny, with 404
Yes, that directive will serve a "404 Not Found" when attempting to request debug.log.
|log?
However, because of the ? in the above regex, it will also block debug.lo. Is that intentional? In fact, if that is intentional then you could simply remove the g? part - since it serves no purpose. But if not, then remove the trailing ? to match debug.log only.
However, it also potentially blocks any URL that simply contains debug.log in the URL-path (since there are no anchors ^ or $ or word boundaries on the regex). For example, the following innocent URL(s) will also be blocked if the directive appears before the WordPress front-controller:
/what-is-the-meaning-of-debug.log-on-my-filesystem
/are-changelog.md-files-really-necessary
(Should you have articles with such a title/slug.)
For this reason, this directive should probably be located at the end of the .htaccess file, after the WordPress front-controller, so that you only block access to physical files. This will also be marginally more efficient.
[R=404,NC,L] - minor point... the L flag is not strictly required here. L is implied when specifying a non-3xx return code.
To simply block (with a 404) requests for debug.log (all lowercase) in the document root only then the following would be sufficient:
RewriteRule ^debug\.log$ - [R=404]
About
Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.