When looking at my web server's access & error logs I notice quite a few instances where attackers seem to be fishing for the existence of certain *.php files and I don't actually want to help them with a 404 status message! Rather I'd like to return some happy 200 status and some dummy content for whatever non existing *.php file some idiot hacker tries to call on my site.
Also I don't care to have my error log spammed with respective non-existing php access attempts, e.g.: [Thu Apr 16 11:42:42.700317 2020] [proxy_fcgi:error] [pid 3318670] [client x.x.x.x:54236] AH01071: Got error 'Primary script unknown\n', i.e. I'd like to redirect before the server feels inclined to report that issue.
What I am looking for is some web server internal redirect for all non-existing *.php files that will respond as if there actually was a respective (dummy) file. My web server access is limited to Plesk and .htaccess so ideally I am looking for something that I can configure via .htaccess
Any suggestions?
seems that adding the below in .htaccess pretty much does what I am looking for by redirecting any non-existing *.php files to _404.php:
# use dummy file for all non-existing .php files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} \.(php)$ [NC]
RewriteRule ^(.*)$ /_404.php [QSA,L]
</IfModule>