Protecting 777 directories with .htaccess

Just like my file permissions there is one .htaccess file I cant live without. It’s super simple and will save you from major headaches!

<FilesMatch ".php$">
    Order Allow,Deny
    Deny from all

That’s it! It prevents php files from being run inside 777 directories and all their subdirectories. I dont particularly like Apache as anyone that knows me knows however I have to work with it daily so I need to know how to do things like this. You could modify that code block to also block perl files, python files or anything else you dont want executed inside a 777 world writable directory.

I recently discover that this works well, except if they remove the .htaccess file. The solution to this is to give the folder 1777 permissions and then give the .htaccess file an owner that isn’t the web server. This prevents the .htaccess file being able to be modified by the web server.

Linux Commands – File and Folder Permissions

I regularly find myself dealing with websites that have been hacked and they almost always have weak permissions. Here are the 2 commands I cant live without:

find . -type d -exec chmod 755 {} ;
find . -type f -exec chmod 644 {} ;

How to remove .php files recursively from the directory you are currently in.
WARNING: If you run this in your document root you will delete your entire site. Make sure you know where you are use pwd first to check your path is correct!

find . -name '*.php' -type f -exec rm -f {} ;

Deciding on a framework…

I’ve been ummm’ing and ahhh’ing about what framework to use for my IsRaiding site. I’ve decided to go with DooPHP. I’m having some trouble with the view rendering, ->render doesnt seem to want to work for me however ->renderc works fine.

I just realised that all my original templates that I purchased were all Wrath of the Lich King colours so I’m busy in Photoshop changing the colour schemes for Cataclysm. I’m also trying to decide on a set of fonts for my site. I’m thinking Serif headings with a sans body. Decisions, decisions…

Load testing with Siege – Part II

edit: One thing to note is both of these tests are testing wordpress more than anything. I’ve since run tests just using <?php echo phpinfo();  ?> which did 24 million page views with 0 failures.

I set siege up last night to run for 6 hours although it appears that it was shutdown after 19 mins. I suspect its my own poor configuration of Siege that caused the problem but it still had some interesting stats. I pumped up the concurrency to 280 which I think is about the limit for my Siege box due to memory issues.

Here is the report…
Transactions:                  105786 hits
Availability:                  99.03 %
Elapsed time:                1165.26 secs
Data transferred:             223.68 MB
Response time:                  2.55 secs
Transaction rate:              90.78 trans/sec
Throughput:                     0.19 MB/sec
Concurrency:                  231.35
Successful transactions:      106299
Failed transactions:            1031
Longest transaction:           26.49
Shortest transaction:           0.35

Unfortunately at this level I’m getting a full 1% of failures however this is pushing the hardware to 7.6 million page views per day.

One thing to note is that my setup is currently “out of the box”, I haven’t used any special configuration or caching (outside of APC). When I get a chance I’ll configure Nginx properly and do some more testing.