I am migrating from Drupal to WordPress, but don’t want to copy everything over. Some articles, I want in WordPress, but others can be left on the old site, or even on an old static archive.

This tool helps create the rewriter rules, and inserts them into the .htaccess file.

(Warning: This is not good security practice. You shouldn’t modify the .htaccess file. The right way to do this is a small application that saves redirection information to a database. The admin interface to it should have a password on it. The only modification to .htaccess should be rules to pass through files that exist, and then pass unknown URLs to the redirection application. You have been warned.)

I start off by copying the article from the old CMS to the new one. Then I copy the URLs into the form fields on this script. Clicking “preview” loads up the page previews. If they appear to be the same article, we’re good. Press “verify” and the script will try to rewrite the.htaccess file.

The script works by searching for the string “# BEGIN PAGE REDIRECTS\n”. Add a line like that to your .htaccess, within the mod_rewrite block. Don’t indent it, because that causes the match to fail.

chown the file to www-data:www-data so you can write the file. Then create a directory names “htaccess-backups”.

Also, name this file something like nufwenjfkewbefiwfhefdsfmsetsetse.php, so it can never be guessed. This code is a huge security hole.

function e($t) {
	echo $t;
$original = $_POST['original'];
$new = $_POST['new'];
$action = $_POST['action'];

iframe {
	width: 40%;
	height: 80%;
<h1>Migration Tool</h1>

<form method=post>
Original URL:
<input name=original size=50 value="<?php e($original); ?>">
New URL:
<input name=new size=50 value="<?php e($new); ?>">
<input name="action" type=submit value="preview" />
<?php if ($new && $original) { ?>
	<input name="action" type=submit value="verify" />
<?php } ?>
	if ($action == 'verify') {
		$start = "# BEGIN PAGE REDIRECTS\n";
		$end = '# END PAGE REDIRECTS';
		$date = date('mdHis');
		copy('.htaccess', 'htaccess-backups/hta-'.$date);
		$file = file_get_contents('.htaccess');
		$match = str_replace('http://riceball.com/d/', '', $original);
		$location = str_replace('http://riceball.com', '', $new);
		$line = 'RewriteRule ^'.$match.'$ '.$location." [L,R=301]\n";
		$newfile = str_replace($start, $start.$line, $file);
		file_put_contents('.htaccess', $newfile);
		echo "<p>";
		echo "Wrote $line";
		echo "<p>";
		echo "Test <a href='$original' target='_blank'>$original</a>";
	} else {
		if ($original) {
			echo "<iframe src='".$original."'></iframe>";
		if ($new) {
			echo "<iframe src='".$new."'></iframe>";


A way to hack this script

I think you could post a form where original=/.* and new=some-arbitrary-url and force all the pages to redirect to your arbitrary url, stealing all the links to your site.

The cheap technique I use to combat this is naming the file with a long random string. As long as the attackers can’t get an index of the directory, you’re pretty safe. If you need more security, then put the script into a password-protected subdirectory.

This type of program, which modifies code, is always risky. It’s especially risky because it modifies code that’s executed by Apache, which is hosting the PHP environment, so it potentially affects more than your PHP code. If the attacker can pass newlines into the strings that get written, they can write directives to alter the behavior of Apache and cause a file uploaded somewhere on the site to be executed. It’s a kind of privilege escalation. I’m working on a small application that is safer.

In the meantime, you can use this to write your redirect rules, and then delete the script to protect yourself.

Leave a comment

Your email address will not be published. Required fields are marked *