How to protect against force-download.php attach | WordPress.org

Resolved cnymike
(@cnymike)

9 years ago

I’ve noticed many hits from Russia that are attempting to force download files such as wp-config.php

The error I get is “http://www.my-website.com/wp-content/force-download.php?file=../wp-config.php

Is there something I can do to harden my site against this attack?

https://wordpress.org/plugins/wordfence/

Viewing 3 replies - 1 through 3 (of 3 total)

WFSupport
(@wfsupport)

9 years ago

Are you using the download shortcode plugin?

tim

Thread Starter cnymike
(@cnymike)

9 years ago

I am not using the download shortcode plugin. But I am just wondering if the force download php code can randomly be used to compromise my site. Is there an .htaccess line I can put in my site to prevent a file from being downloaded or something like that?

WFSupport
(@wfsupport)

9 years ago

If you aren’t then that file should not be there to use. If it is, you might remove it which negates the problem altogether. Another good idea would be to set permissions on the wp-config.php file. Here are suggested permissions from wordpress:
http://codex.wordpress.org/Changing_File_Permissions

tim

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘How to protect against force-download.php attach’ is closed to new replies.

Tags

force download

In: Plugins
3 replies
2 participants
Last reply from: WFSupport
Last activity: 9 years ago
Status: resolved