Security recommendation too high on IIS causing website to crash

  • Resolved alainmelsens

    (@alainmelsens)


    3 years, 10 months ago

    Hi,
    Yesterday I received an email message sent from your Defender plugin, with a “Security recommendation report”.
    When I click on web link to run these recommendations for IIS7 or higher on Windows OS, in order to prevent PHP executables from running, a web.config file is placed in the
    \wp-content\uploads folder.
    In that web.config file is the instruction <handlers accessPolicy=”Read”/>
    However, this gave serious problems on my website. All CSS and menu and navigation settings no longer worked on the frontend.
    And on the admin page, in the media library, no thumbnails were visible anymore etc. The whole website seemed to have crashed.
    It took me a while to think that these changes could be the cause of the many bad problems.
    Have you guys actually tested this <handlers accessPolicy=”Read”/> instruction yourself?
    Securing a lot is certainly good and should be done but blocking too much and giving only read permissions can make WordPress go completely wrong especially on IIS.
    Best to have this tested even more thoroughly, isn’t it? 🙁
    I have of course deleted that web.config file and consequently will test everything carefully on a test environment before I approve any more such recommendations coming from Defender.
    I hope in the next updates of Defender that such problems will not occur again, otherwise Defender users will start to doubt its reliability anyway.
    I’m sure you don’t want this either.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support Imran – WPMU DEV Support

    (@wpmudev-support9)

    3 years, 10 months ago

    Hello @alainmelsens !

    I’m very sorry to hear that you’ve experienced an issue in this case!

    We do test all of the features, including running tests on IIS-powered sites for features specific to that server.

    We’d certainly would like to check what may have happened in that case – would you be able to provide a link to a staging site with this feature enabled so we can take a look at what may have caused that? Alternatively, a link to the live site where that happened would be okay as well – no need to enable the option, but we’d like to see at least how the site works.

    The reason why I’m asking for that is because my suspicion is that there’s something on the site that would require this recommendation to be enabled. I’ve seen for example plugins and themes which need to have access to that area (not recommended, but some developers use that).

    If you’d like to share the links privately without having to post them here, please feel free to send us a message via our contact form:

    https://wpmudev.com/contact/#i-have-a-different-question

    Please use the template below:

    Subject: “Attn: Pawel”

    Message template:

    – Link to your WordPress site or a staging site with the feature enabled
- Screenshots of the issue (link to a cloud drive) - optional but can help
– Link back to this thread for reference (ex. https://wordpress.org/support/topic/ticket-title/)
– Any other relevant URLs/info

    To ensure we don’t miss this please let us know here once you’ve submitted the form.

    Kind regards,
    Pawel

    Thread Starter alainmelsens

    (@alainmelsens)

    3 years, 10 months ago

    hi Pawel,
    I will try to make up a test version in the coming days.
    I will then keep you informed via the separate contact form.
    Thanks.

    Plugin Support Patrick – WPMU DEV Support

    (@wpmudevsupport12)

    3 years, 6 months ago

    Hi @alainmelsens

    I hope you are doing well and safe!

    We haven’t heard from you in a while, I’ll mark this thread as resolved.

    Feel free to let us know if you have any additional questions or problems.

    Best Regards
    Patrick Freitas

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Security recommendation too high on IIS causing website to crash’ is closed to new replies.