Can an .htaccess file be used to block insertion of scripts?

I need to know from you experts is there is a way to block insertion of scripts into any file using an .htaccess file. If you know of a way to do that, please insert the code here, so I can add it to my .htaccess file.

What exactly do you mean by “block insertion of scripts into any file”? What scripts are you having a problem with, and where do they come from?

Someone inserted a script into a .js file in my NEWSPAPER theme (under WP CONTENT/themes/etc… it produced a virus warning, and also made all the images on my posts/pages not appear… for some reason, they left the mobile .js file alone, so I was able to determine which file it was, delete the script, then it worked. I’m looking for something in .htaccess that will prevent anyone other than an administrator from writing into files like that.

So it was done by someone authorized to log into your site? If so, the .htaccess file isn’t the place to be looking for a remedy. That’s for preventing things like scripts from external sources running on your site.

Again, if so, the way to address your issue is to limit the permissions of the person who did this. By default, adding a script from within ClassicPress can be done only by an administrator. So either you have a fellow administrator who’s gone rogue or else you have something on your site (probably a plugin) that has changed the default permissions.

If, on the other hand, you are talking about some external source for the trouble, then my primary concern would be how it got there. Do you have any logs that tell you who did what?

Ah, I wasn’t clear… it was from an external source… the logs don’t show who did it, and there’s only one administrator on the site - me. Isn’t there code for an .htaccess file that would prevent anyone except me from writing into a file?

There is something you can add to the .htaccess file to stop an external script loading, sure. But it won’t work if the script is actually on your own server.

The point is that no-one can just “insert” a script into someone else’s site unless they have some sort of access. So you should be more concerned about how this other person got access.

1 Like

In other terms a person got access maybe by hacking site or by means of a plugin/theme that you installed and that had a backdoor in it.
Then this person injected your site.
Are you using plugins or themes downloaded from sites that are not secure? Or plugins and themes that were nulled and given away for free? This is one of the possible way one person can get access to your site without you being aware it happened.

1 Like

You should probably check that the permissions on files and folders ae what they should be to ensure there aren’t rights assigned which are too open.

1 Like

@Dick_Metcalf your best option is to use a security plugin if you haven’t yet. Shield Security is very good and compatible with ClassicPress. The free version is very good, and it also has a paid version.