I'm wondering if the coding of WP is that worse that you have to deal with mod_rewrite while the application is unable to check the integrity of the variables they use from the QueryString itself?

Also, I still can't fix an injection like:

None of your conditions matches, because your QueryString doesn't contain ftp:, http: or https:.

It seems to help forbidding strange url's, but I'm not sure about "may break your site depending on your links" What does that mean?

It means that any request matching the patterns in your access-control rules will be denied. So you have to know what is and is not a "valid URL format" for your own site, and avoid using any pattern that would deny access to any request that is valid on your site. Since we do not know your site or what valid URLs exist on it, we cannot answer that question for you.

Because mod_rewrite is complicated, and because regular expressions can be cryptic and hard to interpret, I'd suggest starting off with very specific rules to deny specific 'bad' requests that you seen in your logs. As you become more familiar with mod_rewrite and regex, you can then combine rules and take a more-sophisticated approach. However, if blocking these exploits is important to you, then use that as a motivation to study-up on these subjects and learn them well, because using mod_rewrite without fully-understanding it is a recipe for disaster. There are links to useful resources in our Forum Charter, and some tutorials in our Forum Library that may prove useful to you (see links at the top left of this page).

In the meantime, let me throw this modified/cleaned-up code out there, and see if it helps:

RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [0-9A-Za-z#%&+\-./=?_]+\ HTTP/
RewriteRule !^wp-(login\.php¦admin/¦content/plugins/¦includes/) - [NC,F]
#
RewriteCond %{QUERY_STRING} https?:¦ftp:¦ref=¦url=¦0x[0-7a-f]{2} [NC,OR]
RewriteCond %{QUERY_STRING} [^a-z](declare¦char¦set¦cast¦convert¦delete¦drop¦exec¦insert¦meta¦script¦select¦truncate¦update)[^a-z] [NC]
RewriteRule .* - [F]

Important: Replace all broken pipe "¦" characters above with solid pipe characters before use; Posting on this forum modifies the pipe characters.

Also, be aware that the longer lines of code may wrap at your screen width setting.

If you use this code, then it is up to you to thoroughly test your site and make sure that you don't get denied access in normal surfing and posting. If you do get denied, then go through the rules above and modify them so that your valid requests don't trigger a 403 response.

You can do this either by making the pattern(s) more specific, by adding a RewriteCond exclusion, or by removing one of the (sub-)patterns that matches your valid request. But if you remove a pattern, then you accept that you will be allowing the exploit that that pattern was intended to block.

Jim

Thank you very much Jim and Caterham for your big help, I will try to understand and learn some more. I will let you know later.

Please pardon my language, I'm not very good at English

Hi Jim. I just added the code to my .htaccess file. I also fixed the broken pipe like you said.

It seems to have worked. My theme and plugins work fine too, and I haven't get any deny 403. I will see how it all goes over time.

Thankyou again.