Support » Fixing WordPress » .htaccess /includes, Sucuri vs. WordPress.org ?

  • Hello

    I recently discovered an error after upgrading to WP 5.2, Investigating it lead me to sites talking about a hack. And yes, i found some extra files in the /includes dir.

    Then on to protecting it. Sucuri does it one way and WordPress.org tells another story. Which is the better and what’s the difference ?

    This is Sucuri: Hardening via the plugin
    ——

    
    <FilesMatch "\.(?i:php)$">
      <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
      </IfModule>
      <IfModule mod_authz_core.c>
        Require all denied
      </IfModule>
    </FilesMatch>
    
    <Files wp-tinymce.php>
      <IfModule !mod_authz_core.c>
        Allow from all
      </IfModule>
      <IfModule mod_authz_core.c>
        Require all granted
      </IfModule>
    </Files>
    
    <Files ms-files.php>
      <IfModule !mod_authz_core.c>
        Allow from all
      </IfModule>
      <IfModule mod_authz_core.c>
        Require all granted
      </IfModule>
    </Files>
    ------
    

    This is WordPress.org: https://wordpress.org/support/article/hardening-wordpress/
    ——

    
    # Block the include-only files.
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    </IfModule>
    -------
    

    All the best
    Carsten, Denmark

Viewing 9 replies - 1 through 9 (of 9 total)
  • Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Those are two very different things.

    WordPress adds the .htaccess Rewrite rules necessary to make your permalinks work, Sucuri adds .htaccess Allow/Deny rules to further secure your site.

    But still, both say it’s to protect files in the /includes dir.

    This is from the WordPress site:
    “A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file.”

    This i from Sucuri:

    Block the execution of PHP files in sensitive directories. Be careful while applying this hardening option as there are many plugins and theme which rely on the ability to execute PHP files in the content directory to generate images or save temporary data. Use the “Whitelist PHP Files” tool to add exceptions to individual files.”

    So why are they doing so differently ?

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    The WordPress documentation says you can _choose_ do that if you want to, WordPress does not do that on its own.

    The Sucuri documentation says that Sucuri _will_ do that if the option is selected.

    Thank you for your reply James.

    But that was really not an answer to my question.

    Why are the methods to achieving the same thing so different ?

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Sorry, I misread earlier, blame the pre-coffee. The rules from WordPress are indeed _not_ the rewrite rules for permalinks.

    But, either way though, they are still absolutely _not_ doing the same thing.

    The rules from Sucuri protect wp-tinymce.php and ms-files.php and any .php file. Why? You’ll need to ask them.

    The recommended rules for WordPress protect /wp-admin/includes/ and php files under /wp-includes/ and /wp-includes/js/tinymce/langs/ and /wp-includes/theme-compat/

    There’s no reason not to use both, they do two different things.

    Thank you again James πŸ™‚

    If you look closer(get more coffee πŸ˜‰ ) at the code from Sucuri, they actually specifically allow wp-tinymce.php and ms-files.php to run; Require all granted

    Why they do what they do, is to block users/hackers to run .php files from the /includes directory.

    That’s also what WordPress say they’re doing, but with; rewrite

    Is rewrite at better choice than mod_authz_core.c for solving this task ?

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Argh, yes, more coffee was required.

    Either way though, there’s no reason not to run them together, there will be no conflicts.

    Of the two, I like the way Sucuri is doing it compared to the recommended WordPress way.

    Personally though, if you’re getting into .htaccess blocks, you might as well go for https://perishablepress.com/6g/

    Which, you can also get in simple plugin form: https://wordpress.org/plugins/block-bad-queries/

    Hello James

    I was just searching the Apache site. I thought that might be a place to go, just to try to understand the different approaches. Not that it helped that much πŸ˜‰

    But as you write, i also lean more to the Sucuri method. It’s a lot more simple: https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html

    It though would be interesting to hear why WordPress chose to use Rewrite.

    I’m not sure if it’s a good idea to put two rules in that do the same. It also puts an extra load on the server.

    Thank you for the links, i’ll have a look at them πŸ™‚

    Hmm, maybe the difference is this:
    “Further, 7G uses Apache’s mod_rewrite, so it works on all types of HTTP request methods: GET, POST, PUT, DELETE, and all others. That means robust protection for your website.”

    Maybe mod_authz_core do not do that.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘.htaccess /includes, Sucuri vs. WordPress.org ?’ is closed to new replies.