Allow access to specific directory in /wp-content/ after Hardening

  • Resolved blakemiller

    (@blakemiller)


    8 years, 2 months ago

    I have a custom plugin that allows a user to download file(s) from a directory within the /public_html/ directory, but outside of wordpress. It’s triggered by some php files within /wp-content/plugins/{custom-plugin}/{somedirectory}/

    But, when I enable Sucuri’s “Restrict Wp-content” it blocks me from executing the php commands within my custom plugin. Which sounds correct. It’s done by adding an .htaccess file into the /wp-content/ directory that reads:

    <FilesMatch "\.(?i:php)$">
  <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
  </IfModule>
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
</FilesMatch>

    My question is what can I add to that .htaccess file to allow access to this one particular plugin – either the entire plugin directory, or even the specific php files within the plugin?

    Thanks!

    https://wordpress.org/plugins/sucuri-scanner/

Viewing 2 replies - 1 through 2 (of 2 total)
  • yorman

    (@yorman)

    8 years, 2 months ago

    I will assume that the custom plugin was written by you in which case you can use some of the methods that the Sucuri plugin offers to whitelist PHP files when the hardening is applied [1].

    <?php
if (class_exists('SucuriScanHardening')) {
  $file = 'foobar.php';
  $folder = WP_CONTENT_DIR . '/uploads';
  if (SucuriScanHardening::is_hardened($folder)) {
    SucuriScanHardening::whitelist($file, $folder);
  }
}

    If you are not the developer of that custom plugin or do not want to modify its code to include the snippet shown above then go to the “Whitelist Blocked PHP Files” panel located in the hardening page and whitelist the file(s) that you need to allow access.

    [1] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/3b53624/sucuri.php#L8600-L8614

    Thread Starter blakemiller

    (@blakemiller)

    8 years, 2 months ago

    Thank you Yorman! I had the plugin developed for me, so kind of. I have access to it and not afraid to hack a little bit – but I am far from a developer/coder.

    But I do not understand where to put that code – do I edit the Sucuri plugin, or add that to my custom plugin? I wouldn’t mind exploring adding it, instead of using the whitelist function.

    But, i never realized that there was a PHP Whitelist section. I saw/found that and added the specific files (4 of them) and it works now!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Allow access to specific directory in /wp-content/ after Hardening’ is closed to new replies.

Tags