WordPress-Hosting-Best-Practices-Documentation icon indicating copy to clipboard operation
WordPress-Hosting-Best-Practices-Documentation copied to clipboard

Published 20 hours ago verified publisher icon ataylorme

.htaccess configuration

Open danielbachhuber opened this issue 7 years ago • 1 comments

Because the .htaccess file is a part of many hosts' web server configuration, we should have some recommended dos and don'ts.

For instance, to prevent situations like this (not to call SiteGround out):

Found the source. In our case, Siteground had put the following block in our .htaccess file

# Block Request Method #
RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|options|put|trace|track) [NC]
RewriteRule .* - [F]

This was the root cause of the issue. I hadn't had the opportunity to attempt anything to prove the case, but I assume the DELETE and OPTIONS methods would have also failed.

Even better would be some form of automated checker :)

From https://github.com/WordPress/gutenberg/issues/2704#issuecomment-329231370

danielbachhuber avatar Sep 19 '17 00:09 danielbachhuber

This kind of problem crops up with ModSecurity, too. It probably would be worthwhile to factor that in when checking for blocks on the request method. Folks used to think restricting the HTTP methods your server can do makes the server more secure. There might be something to some of that for some methods, but I think the "standard" ModSecurity config only allows GET, POST, OPTIONS, and HEAD

jadonn avatar Sep 19 '17 02:09 jadonn