1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 12:14 pm May 1, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Need help blocking requests of non existing php files with htaccess

block htaccess non existing php files

         

tuncs

11:19 am on Dec 2, 2015 (gmt 0)

10+ Year Member



Hello, my wordpress built website is being hit by malicious bots looking for vulnerabilities. They keep checking php files that never even existed on my site. Some of the directories they are trying to reach never existed as well. Because my site is wordpress built each time a non existing file is requested wordpress loads some files increasing cpu load. The requests are so frequent so that my CPU load increases dramatically, completely freezing my vps.
I want to know if it is possible to block a request that includes a php file which does not exist via htaccess eg http//:example.com/nonexistingfolder/nonexisting.php or http://example.com/nonexsting.php
I am not sure if this is the proper way of adding this rule and I appreciate some help here

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} -d [NC,OR]
RewriteCond %{REQUEST_FILENAME} \.(php)$
RewriteRule ^(.*)$ - [F,L]

Kind regards

[edited by: engine at 6:21 pm (utc) on Dec 2, 2015]
[edit reason] please use example.com [/edit]

lucy24

8:49 pm on Dec 2, 2015 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Blocking .php is useful on any site that doesn't use .php in URLs. My version looks like this: 
RewriteCond %{THE_REQUEST} \.php
RewriteCond %{REQUEST_URI} !{list-exceptions-here}
RewriteRule \.php - [F,NS]
The [NS] flag is technically redundant; it saves the server from having to evaluate conditions on subrequests (for example, mod_dir activity).

Your rule as stated is inefficient in almost every possible way. But the most important one is: never put something in a RewriteCond that can go in the body of the rule. Note that since the rule ends in [F], you do not need to capture anything. Put the rule before the CMS boilerplate involving -f and -d lookups and "index.php".

If you like, you can return a 404 response instead of a 403:
[R=404,NS]
(Yes, it looks funny, but it's correct.) The offending robot has no way of knowing that the 404 was returned manually rather than by actual server lookup.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 12:14 pm May 1, 2026