WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] wp-content in htaccess (15 posts)

  1. myefreelance
    Member
    Posted 1 year ago #

    If you install content of wordpress in another path ( not wp-content ) ErrorDocument or Plugin Exploit Rules doesn't apply.

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    It is not recommended that you change the wp-content folder path since trying to hide things will never be a real security measure. It would be a very simple thing to find the new wp-content folder name so there is really no point in changing the wp-content folder name at all.

    The most effective security approach is an Action Security Approach based on bad actions.

    bad hacker X does bad action Y and Z is the result = Forbidden/blocked/etc.

    BPS uses WordPress Constants for the wp-content directory/folder WP_CONTENT_DIR and all other WordPress directories/folders. If you are doing some other method of hiding the wp-content folder that is not using a WordPress Constant then BPS will not be able to detect that directory/folder location. You should always use WordPress Constants if you are going to change the normal/standard WordPress structure/architecture.

    If you are using WordPress Constants and you use the BPS AutoMagic buttons then BPS will find and write the correct new folder name/path that you have created for your wp-content folder.

  3. myefreelance
    Member
    Posted 1 year ago #

    Perhaps, I'm not very clear. I'm already used WP_CONTENT_DIR at wp-config.php but when I use BPS AutoMagic buttons the secure.htaccess in bulletproof-security\admin\htaccess contains "wp-content" instead or WP_CONTENT_DIR f.e. ErrorDocument or Plugin Exploit Rules.

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    oh ok now I understand what you are saying. Yes, you are correct that file does contain the literal "wp-content" folder name. It is only a demo/temporary file. When you use/click the AutoMagic buttons that demo/temporary file is overwritten with your actual website's real information.

  5. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    If clicking the Create secure.htaccess file button does not overwrite this demo/temporary file then there is a permissions or Ownership issue/problem going on where BPS is not allowed to write to this file due to file permission or Ownership restrictions on your Server. Check the Edit/Upload/Download page and you should see this - File Open and Write test successful! The secure.htaccess file is writable. If you see an error saying that the file is not writable then post that error.

  6. myefreelance
    Member
    Posted 1 year ago #

    But, I don´t think so because I can see the literal "wp-content" in "options.php". I think that this is the reason why it doesn´t work me f.e. log 403 errors.

  7. myefreelance
    Member
    Posted 1 year ago #

    I check it ( Edit/Upload/Download page ) and I can see this: "File Open and Write test successful!".

  8. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Oh yeah actually you are correct. We left wp-content in those particular .htaccess file writing areas for some reason. I believe it caused the write process to break for everyone else who is using the standard/normal WordPress wp-content folder path/name. You will need to manually change this in your root .htaccess file.

  9. myefreelance
    Member
    Posted 1 year ago #

    Thanks, but I suppose that this bug will be solved in the next release.

  10. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    We will have to add an additional option for folks who have decided to change their wp-content folder name so that this does not break everyone else's websites during the .htaccess file writing process. ;) This is the only area in BPS where we are using the literal wp-content path. Everywhere else the WP_CONTENT_DIR constant is used.

  11. myefreelance
    Member
    Posted 1 year ago #

    Thanks.

  12. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Actually this has been completed by someone already. It will be added/included in BPS .48.4.

  13. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    This has been added/included in BPS .48.4. Resolving.

  14. Sliva
    Member
    Posted 1 year ago #

    I actually just created a forum account to ask a question along similar lines to this. I installed Better WP Security and used the change wp-content folder option (unfortunately no option given to undo). after searching for posts and articles about if that was a feature that was worth the complications, with no results, this answers my question. Thanks. :) Luckily I did find a way to (hopefully) manually undo the change. For anyone else who needs to do this the link is here:
    Luckily I haven't actually added any content on this install yet.

  15. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Great thanks! The whole concept of hiding/changing the wp-content folder name is silly because if a cURL scan is done on the site searching for a bit of code that has a known vulnerability or exploit then whatever the new name for the wp-content folder is will be displayed in that cURL scan. Silly. ;)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic