#!/bin/bash
STAMP=20260714
add=0; skip=0; ko=0
for f in ~/*/wp-config.php; do
  s=$(dirname "$f"); site=$(basename "$s")
  ud="$s/wp-content/uploads"
  [ -d "$ud" ] || { echo "  [$site] pas de dossier uploads -> SKIP"; continue; }
  h="$ud/.htaccess"
  if [ -f "$h" ] && grep -qiE "Require all denied|Deny from all" "$h" 2>/dev/null; then
    echo "  [$site] deja durci -> OK"; skip=$((skip+1)); continue
  fi
  [ -f "$h" ] && cp "$h" "$h.bak-harden-$STAMP"
  cat > "$h" <<'HT'
# MREL-HARDEN anti-PHP 20260714
<FilesMatch "\.(php|php3|php4|php5|php7|php8|phtml|phar)$">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Deny from all
  </IfModule>
</FilesMatch>
HT
  if grep -qiE "Require all denied|Deny from all" "$h" 2>/dev/null; then
    echo "  [$site] .htaccess anti-PHP pose"; add=$((add+1))
  else
    echo "  [$site] !! ecriture .htaccess ECHOUEE"; ko=$((ko+1))
  fi
done
echo "  --- pose: $add   deja-ok: $skip   echec: $ko ---"
