Make WordPress Core

Opened 14 years ago

Closed 14 years ago

#12136 closed defect (bug) (fixed)

Improve MS rewrite rules

Reported by: nacin's profile nacin Owned by: wpmuguru's profile wpmuguru
Milestone: 3.0 Priority: normal
Severity: normal Version:
Component: Rewrite Rules Keywords: has-patch
Focuses: multisite Cc:


I've been looking through the MS rewrite rules, trying to improve performance where possible and possibly coming up with a rule that prevents the need to hard-code wp-content (or, eventually, a custom content directory).

Patch attached what I've simplified so far, which is to reduce the uploaded files and wp-admin trailing slash rules each to a single line, and modify slug handling a bit. Tested on a production subdirectory install.

Attachments (2)

12136.diff (1.1 KB) - added by nacin 14 years ago.
12136.2.diff (921 bytes) - added by nacin 14 years ago.
Includes an optimization from Denis-de-Debernardy from #12497

Download all attachments as: .zip

Change History (17)

14 years ago

#1 @scribu
14 years ago

  • Keywords has-patch added

#2 @wpmuguru
14 years ago

The rewrite base is / or /path/ so in rewriting a request for /path/ron/wp-content/themes/... apache is running the regex on ron/wp-content/themes/... not /ron/wp-content/themes/....

The more specific regex limits the rewrites to what is possible as a blog name and probably provides a bit of security.

#3 @nacin
14 years ago

I don't have a problem with using the more specific regex instead of [/]+. Does the rest of it look good?

#4 @wpmuguru
14 years ago

  • Resolution set to fixed
  • Status changed from new to closed

This one has been done, I believe. We had discussed in IRC & proceeded.

#5 follow-up: @nacin
14 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

None of these changes were applied. I think there is still some potential for optimization but otherwise we should close as wontfix.

#6 in reply to: ↑ 5 @wpmuguru
14 years ago

  • Resolution set to wontfix
  • Status changed from reopened to closed

I did a bit of testing and changing the rewrite rules to those in the patch allowed me to access the admin area from a bogus path

ex. let me access the admin area at

#7 @wpmuguru
14 years ago

Forgot to add - [13630] brought the allowed blognames in line with the rewrite rules.

#8 @nacin
14 years ago

  • Resolution wontfix deleted
  • Status changed from closed to reopened

Going to re-open this for some incremental improvements. The bogus path works on the current rewrite rules as well.

There are numerous improvements that seem okay to me. In order:

  1. Remove RewriteRule ^(.*/)?files/$ index.php [L] and change files/(.*) in the second rule to files/(.+).
  1. Remove the condition on the wp-admin trailing slash rule by improving the rule itself.
  1. Convert the files and wp-admin rules from ^(.*/)? to ^([_0-9a-zA-Z-]+/)?, to match the other rules and current restrictions.
  1. Remove the wp-content/plugins restriction on files, as the conditions for which it was added shouldn't apply under a properly constructed rule.

14 years ago

Includes an optimization from Denis-de-Debernardy from #12497

#9 @nacin
14 years ago

This has a new patch. Also includes a small optimization from Denis in #12497 (closed as a duplicate).

The issue with wp-content/plugins is that we didn't restrict the initial files rewrite to only one directory deep. Thus it matched:


And that's why we excluded wp-content/plugins.

The proper fix would have been to restrict the depth, via ^([^/]+/)?, which would only have matched the first example above. A desire to instead whitelist directories via _0-9a-zA-Z- also restricts it to a single directory as it prevents a slash, and thus rendering the wp-content/plugins check useless.

Food for thought: especially since .htaccess is generated dynamically, should we strip the directory matching when we're on a subdomain install? Seems like it would greatly simplify the rules (unless I'm mistaken, we'd end up with just ms-files and the standard WP rules).

#10 @jamescollins
14 years ago

Also, WPMU's current URL rewriting rules don't work with URLs that contain ".php". I raised this problem a few months ago (, but a fix hasn't been applied yet.

I had a go at trying to fix it (see the wpmu trac ticket above), but my mod_rewrite knowledge isn't quite up to scratch.

#11 @nacin
14 years ago

The 3.0 rules are improved over the MU rules, and only restrict .php files in the root directory. They still restrict any files in wp-admin/wp-includes/wp-content, but the file must not exist. This doesn't solve your problem, but I wanted to point it out.

What could solve the problem for subdomain installs would be to scrap subdirectory-specific rules when installing a subdomain-based network.

#12 @nacin
14 years ago

(In [13675]) Improve multisite rewrite rules. Construct rules dynamically and skip subdirectory-specific rules for subdomain installs. see #12136

#13 @nacin
14 years ago

(In [13679]) Don't allow access to network.php if running an MU network. It is only for networks created in 3.0. see #11816. Also, fix MS htaccess logic, see #12136

#14 @wpmuguru
14 years ago

This rewrite rule should be removed to improve the site rewrite efficiency:

RewriteRule ^index\.php$ - [L]

Whether or not it improves the efficiency of a request for index.php, it decreases the efficiency of all other requests (wp-content, wp-admin, wp-includes, css, js, tags, categories, archives, attachments, feeds, comments, etc.). Requests for index.php comprise only a small number of the requests on any site.

#15 @wpmuguru
14 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.