Publicly accessible config, backup, or log file found

  • Resolved edwardprice

    (@edwardprice)


    3 years, 2 months ago

    On a recent scan of a migrated WordPress site i get the critical issue:

    • Publicly accessible config, backup, or log file found: .user.ini

    I think this is a file that is created by Wordfence. I have tried to “hide” file but it doesn’t do anything and the issue persists.

    I have checked the .htaccess and it has a section from Wordfence that looks like it should hide the user.ini file but it doesn’t seem to work. Wordfence seems to have been installed ok so is this file still needed?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support wfjanet

    (@wfjanet)

    3 years, 2 months ago

    Hi @edwardprice,

    Thank you for reaching out.

    The .user.ini file is created during the Firewall Optimization process. At the same time, usually code is added in .htaccess, which prevents access, but this doesn’t seem to have happened in your case.

    Please add the code below to your .htaccess:

    <Files ".user.ini">
    <IfModule mod_authz_core.c>
    Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
    </IfModule>
    </Files>

    Let me know how it goes.

    Thanks,

    Janet

    Thread Starter edwardprice

    (@edwardprice)

    3 years, 2 months ago

    Hi @wfjanet. I have checked the htaccess and it already has this in it. any other suggestions?

    Thread Starter edwardprice

    (@edwardprice)

    3 years, 2 months ago

    OK so i have fixed this. So probably best I show what i did. It is a Bitnami installation of wordpress so there was an extra step to add it to the htaccess which is explained here:

    https://docs.bitnami.com/aws/infrastructure/lamp/administration/use-htaccess/

    Then just restart apache and it works

    Plugin Support wfjanet

    (@wfjanet)

    3 years, 2 months ago

    Sounds good @edwardprice

    Thank you so much for updating us. I’ll keep this solution in mind for customers on Bitnami.

    Thanks,

    Janet

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Publicly accessible config, backup, or log file found’ is closed to new replies.