I have the following lines in my htaccess file -
SetEnvIfNoCase User-Agent "go-http-client" getout # hackers
SetEnvIfNoCase User-Agent "python" getout # hackers
SetEnvIf Request_URI "^(/403\.shtml|/405\.shtml|/406\.shtml|/410\.shtml|/415\.shtml)$" allowsome
ErrorDocument 404 /otr/404err\.php
ErrorDocument 403 /otr/403err\.php
<Files *>
order deny,allow
deny from env=getout
allow from env=allowsome
</Files>
# last trap for other .php files
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-f
RewriteRule ^.+\.php(.*)?$ /otr/404err\.php [L]
And it works fine for some lines from my logs but not others. As can be seen in the first three lines below that have been rejected correctly, but the next three where the .php files being requested are in the root of the site just return a 404. The same is happening with the python exclusion as displayed in the last three lines. None of the php or js files or the folders mentioned exist by the way.
"GET / HTTP/1.1" 403 - "-" "Go-http-client/1.1"
"GET /wp-content/plugins/ HTTP/1.1" 403 - "-" "Go-http-client/1.1"
"GET /wp-admin/admin-ajax.php HTTP/1.1" 403 - "-" "Go-http-client/1.1"
"GET /wp-content/themes/twenty/twenty.php HTTP/1.1" 403 - "-" "Go-http-client/1.1"
"GET /wp-head.php HTTP/1.1" 404 712 "-" "Go-http-client/1.1"
"GET /class.api.php HTTP/1.1" 404 712 "-" "Go-http-client/1.1"
"GET /st.php HTTP/1.1" 404 712 "-" "Go-http-client/1.1"
"GET /wp-includes/js/jquery/jquery.min.js HTTP/1.1" 403 - "-" "python-requests/2.27.1"
"GET /inputs.php HTTP/1.1" 404 199 "-" "python-requests/2.27.1"
"GET /robots.txt HTTP/1.1" 403 - "-" "python-requests/2.27.1"
I do have other checks in the htaccess file such as that last trap line but I would have thought the SetEnvIfNoCase would work first. And in any case line three of the log contains a .php file but that was caught by the SetEnvIfNoCase. I have tried to include the lines from my htaccess that would be applicable but not my entire file.
Any thoughts folks?