Support » Plugin: Sucuri Security - Auditing, Malware Scanner and Security Hardening » Block PHP Files in WP-CONTENT Directory

  • Resolved Hyflex

    (@hyflex)


    Hi,

    I am wanting to use the Block PHP Files in WP-CONTENT Directory option but one plugin of mine requires php pages to run… how do I whitelist an entire folder?

    /wp-content/plugins/ThisFolder/

    The Securi plugin only allows for specific php files to be whitelisted, how can I manually whitelist an entire folder as my plugin that requires the running of php files has LOTS of php files.

    Thanks

Viewing 4 replies - 1 through 4 (of 4 total)
  • […] my plugin that requires the running of php files has LOTS of php files

    We do not have an option to allow you to whitelist an entire directory because it contradicts the point of the hardening in the content directory. I implemented the individual PHP file whitelisting because some popular plugins have 1-2 PHP files that need to be accessed directory to generate images or to track data, but I have not found a case where an entire directory should be whitelisted.

    Please share the plugin that you are having problems with so I can investigate.

    Alternatively, you can whitelist the entire directory by creating a “.htaccess” file inside that folder and adding the following access control rules which will have more priority than the ones created by the Sucuri plugin:

    <FilesMatch "\.(?i:php)$">
      <IfModule !mod_authz_core.c>
        Order allow,deny
        Allow from all
      </IfModule>
      <IfModule mod_authz_core.c>
        Require all granted 
      </IfModule>
    </FilesMatch>

    Marking as resolved, feel free to re-open if you need more information.

    @yorman,

    It’s a premium paid plugin that essentially allows users to create an account / login / link their account with social media accounts. If I block the php files it errors out on login because it requires loading of some php files.

    The page that errors out is located in: /wp-content/plugins/wlm-social/hybridauth/ and that specific folder has both config.php and index.php, it also has a folder called Hybrid that contains like 25+ different php files in various subfolders.

    As you can see the plugin is called “WLMSocial”.

    I’ve used Wordfence, Securi & Bulletproof Security… it’s pretty unclear between each of them what .htaccess rules should be used for security, not much agreement between them.

    Also, whilst Wordfence is a competitor do you not think it’s a bit bad on Securi’s side showing “Website Firewall Protection” as red/no firewall when someone is using Wordfence for their firewall?

    I am curious about what “[…] it requires loading of some php files” exactly means. Loading a PHP file, technically speaking, refers to the use of the “include” or “require” statements, these are not affected by any of the hardening options in any security plugin that I know.

    What the Sucuri plugin and others do is to block HTTP requests going directly to a PHP file, which in most cases (at least in the WordPress plugin ecosystem) doesn’t happens, with just a few exception. I am not sure why “wlm-social” requires you to whitelist the entire directory.

    Unfortunately, I cannot investigate this further as this is a premium plugin. It is very difficult if not impossible to give support and prevent incompatibilities with premium plugins because their development is made in private, we cannot track which changes are applied until its too late.

    Since you are paying for that plugin, I assume that they provide premium support. You can ask them to investigate the issue and they will take a decision on their own. I will leave this marked as resolved.

    Also, whilst Wordfence is a competitor do you not think it’s a bit bad on Securi’s side showing “Website Firewall Protection” as red/no firewall when someone is using Wordfence for their firewall?

    It is not bad per se, as it is just a red text, but I understand your concerns as the message can be misleading. I will try to find ways to detect if a website is using one of them popular firewalls in the market besides the Sucuri Firewall. Hopefully, the code will be available in the next version of the plugin. Thank you for the suggestion.

    @yorman,

    I am not too familiar with how the plugin works but it’s after authenticating with social media it redirects back to that directory and I assume then includes/requires the php files from there to interpret the post data that came back from the social media websites.

    I’d assume if the index.php file inside that folder was whitelisted it would work correctly, can you advise for the specific file/location:

    /wp-content/plugins/wlm-social/hybridauth/index.php

    Thanks

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Block PHP Files in WP-CONTENT Directory’ is closed to new replies.