How to detect Apache/2.4 | WordPress.org

Resolved Viktor Szépe
(@szepeviktor)

10 years, 9 months ago

This is double issue for the “Hardening” tab.

1

Note: Apache/2.4 introduced new directives to configure the access level of certain resources in the server, for instance the rules applied to harden these directories will not work and will probably cause issues. We will not fix this because there is no accurate way to determine the exact version number of Apache installed in this server …

It is a way to distinguish between 2.2 and 2.4:
<IfModule !mod_authz_core.c>
https://github.com/szepeviktor/debian-server-tools/blob/master/webserver/apache-conf-available/worpress-htaccess/.htaccess

I’ve learned it from HTML5 boilerplate server config.
https://github.com/h5bp/server-configs-apache/blob/master/dist/.htaccess

2
Configuration for all WP directories.

Please see the setting for “hosting panels”:
https://github.com/szepeviktor/debian-server-tools/tree/master/webserver/apache-conf-available/worpress-htaccess

And for v2.4 servers:
https://github.com/szepeviktor/debian-server-tools/blob/master/webserver/apache-conf-available/wordpress.conf

https://wordpress.org/plugins/sucuri-scanner/

Viewing 2 replies - 1 through 2 (of 2 total)

yorman
(@yorman)

10 years, 9 months ago
Task finished with these commits:

1193688 – Added. Self-contained library to handle the hardening process
1193691 – Fixed. Harden content directory with correct access rules
1193701 – Fixed. Harden uploads directory with correct access rules
1193713 – Fixed. Harden includes directory with correct access rules
1194952 – Removed. Message for nonsupported Apache 2.4 hardening

These changes also improved the blocking of files with the PHP extension in different cases as suggested by here [1]. Previously, the hardening that was being applied by the plugin in the content, includes, and uploads directories was only blocking the lower case extension.
```
/wp-content/file.php - HTTP/1.1 403 Forbidden
/wp-content/file.phP - HTTP/1.1 403 Forbidden
/wp-content/file.pHp - HTTP/1.1 403 Forbidden
/wp-content/file.pHP - HTTP/1.1 403 Forbidden
/wp-content/file.Php - HTTP/1.1 403 Forbidden
/wp-content/file.PHp - HTTP/1.1 403 Forbidden
/wp-content/file.PHP - HTTP/1.1 403 Forbidden
```
[1] https://wordpress.org/support/topic/bypass-php-file-execution-restriction
Thread Starter Viktor Szépe
(@szepeviktor)

10 years, 9 months ago

You’re typing faster then I can think.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘How to detect Apache/2.4’ is closed to new replies.

Tags

sucuri-technical

2 replies
2 participants
Last reply from: Viktor Szépe
Last activity: 10 years, 9 months ago
Status: resolved