.htaccess files are hierarchical/recursive, which means that the .htaccess file in the hosting account root folder will apply its security rules to all subfolders below this folder, unless the subfolder or subfolders have their own .htaccess files. If they have their own .htaccess files then those subfolders will follow the security rules in their own .htaccess files and not the .htaccess rules in the hosting account root folder (see Note below). The best Site Security Architecture/Design technique is to compartmentalize your security by installing each of your website’s in their own separate folder (on some hosts that is not possible and you have to have a root website installation) so that 1 website’s .htaccess file does not affect another site’s .htaccess file. This allows you to create separate and unique security rules per site.
Note: Some .htaccess directives/code will still be applied to subfolder/subdirectory/Addon/child sites (child folders below the hosting account root folder) if an .htaccess file exists in a hosting account root folder (parent folder). Example: If you turn off Security Logging in a subfolder or subdomain site, but have a root website in the hosting account root folder and have Security Logging turned on in the root website then the htaccess ErrorDocument directive from the hosting account root htaccess file will be applied to the subfolder / subdomain site and Security Logging will still occur on a subfolder/subdomain website. If each site was compartmentalized in its own folder then that would not occur since a parent/child folder relationship would not exist. If Security Logging is turned on on both the root site and the subfolder/subdomain site then the subfolder/subdomain site is actually using/following the rules/code in its own .htaccess file and not the root website’s htaccess file.
Example:
Let’s say that you are using this Brute Force Login attack protection code in your root website’s htaccess file that is located in your hosting account root folder and you do not have any wp-login.php htaccess code/rules in a subfolder site’s htaccess file. This root .htaccess file code/rules will be applied to that subfolder site’s Login page since the subfolder site is a child folder of the parent site folder in this particular type of folder/hierarchical relationship. Both the root site and the subfolder site would use/follow this code/rule.
# Protect wp-login.php from Brute Force Login Attacks based on IP Address <FilesMatch "^(wp-login\.php)"> Order Allow,Deny # Add your website domain name Allow from example.com # Add your website/Server IP Address Allow from 69.200.95.1 # Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1 Allow from 65.100.50. </FilesMatch>
So let’s now say that you want Brute Force Login protection on the root website, but do not want Brute Force Login protection on the subfolder site. This is how you would achieve that. In your subfolder site’s .htaccess file you would add this .htaccess code below that says allow everyone access your subfolder site’s wp-login.php Login page. The subfolder/child site will follow its own wp-login.php htaccess rule instead of following the root/parent site’s wp-login.php htaccess rule.
<FilesMatch "^(wp-login\.php)"> Order Allow,Deny Allow from all </FilesMatch>
Visual Structural Example:
This example shows the hierarchy of several websites installed in folders under a hosting account. Each folder contains a website / is the folder where a website is installed. This example shows the relationship of parent/child folders/websites and how htaccess files/rules will be applied from parent to child folders/websites. The htaccess ErrorDocument directive is an htaccess redirect directive used to redirect errors based on their HTTP Status Response code (the ErrorDocument directive effect/impact on all sites is explained in the Summary).
Note: Child folder .htaccess files at the same folder structure level do not affect each other. Example: The /affiliates/ and /aitpro-blog/ folders/websites are at the same folder structure level. Their relationship to each other is NOT parent >>> child.
Folders (not URL’s):
/.htaccess – root .htaccess file (ie /public_html/.htaccess) is a parent htaccess file in the Document root folder of the hosting account.
/api/
/affiliates/
/aitpro-blog/
/exampleA.com/
/exampleB.com/
/forum/private/
/wordpress-testing-website/
Root .htaccess file in the Document Root folder of the hosting account:
Note: See this Forum Topic link for where and how to add RewriteRule custom code to BPS Custom Code: http://forum.ait-pro.com/forums/topic/custom-applications-outside-of-wordpress-3rd-party-apps/#post-13664
# WP REWRITE LOOP START RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] # Do not apply rules to other child websites & # do not log errors for these child sites RewriteRule ^api/ - [L] RewriteRule ^affiliates/ - [L] RewriteRule ^aitpro-blog/ - [L] RewriteRule ^exampleA.com/ - [L] RewriteRule ^exampleB.com/ - [L] RewriteRule ^forum/ - [L] RewriteRule ^wordpress-testing-website/ - [L]
The root website’s htaccess file will not apply the ErrorDocument directive htaccess code/rules to any of these folders/websites since the RewriteRules will rewrite directly to these URI’s instead of continuing to be processed by this root htaccess file/code/rules. In other words, this is a form of a skip/bypass rule for folders/websites of sorts.
The /forum/ folder/website has a subfolder website that is in a subfolder of the /forum/ folder – /forum/private/. The root .htaccess file in the root of this hosting account / the Document Root folder is not applying its rules to the /forum/ folder. The /forum/ website will use a RewriteRule for the /private/ folder so that rules from the /forum/.htaccess file are not applied to the /private/ folder/website.
# WP REWRITE LOOP START RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] # Do not apply rules to other child websites & # do not log errors for these child sites RewriteRule ^private/ - [L]
Summary: The root website in the hosting account root folder will not apply the ErrorDocument rules to the /forum/ site and the /forum/ site will not apply the ErrorDocument rules to the /private/ site. What this means is that each site is now independently controlling the ErrorDocument directive/rule for that site, which means each site is controlling its own Security Logging. If you did not create RewriteRules like this then the hierarchical nature of htaccess files would apply the root website’s ErrorDocument rule to all child sites meaning even if Security Logging was turned off on a child site then Security Logging would still occur since the parent htaccess file in the root website would be applying the ErrorDocument directive rule to all child websites.