Support » Plugin: BulletProof Security » Sucuri 1-click Hardening wp-content .htaccess file problem detected

  • Resolved leejosepho

    (@leejosepho)



    I have this htaccess in wp-content:

    # set permissions to 0404
    <Files *.php>
    deny from all
    </Files>

    Because of that, Sucuri Security (plugin) gives this notice:

    Using the Sucuri 1-click Hardening wp-content .htaccess file option will prevent BPS Security Error Logging from working.
    To fix this issue delete the Sucuri .htaccess file in your wp-content folder.

    I doubt that is actually true, but I want to check with you before dismissing that notice and mentioning this to Sucuri.

    https://wordpress.org/plugins/bulletproof-security/

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author AITpro

    (@aitpro)

    Actually the Dismiss Notice is a BPS plugin Dismiss Notice that is displaying that notice to you.

    Yes, the Sucuri wp-content .htaccess code will prevent BPS Security Logging from working because the /wp-content/plugins/bulletproof-security/403.php template logging file will be blocked/forbidden from being accessible to anyone including you, which means that no BPS Security logging will occur.

    Instead of deleting the Sucuri wp-content .htaccess file you could change the htaccess code in that htaccess file so that you can whitelist ALL BPS plugin files or just the BPS 403.php Security Logging template file. I just played around with this and created this code below and it seems to work fine.

    # Whitelist all BPS plugin php files (recommended)
    SetEnvIf Request_URI "/plugins/bulletproof-security/(.*).php$" whitelist
    # Whitelist ONLY the 403.php Security Logging template file (not recommended)
    #SetEnvIf Request_URI "/plugins/bulletproof-security/403.php$" whitelist
    
    <FilesMatch "\.(php)$">
    Order Allow,Deny
    Allow from env=whitelist
    Deny from all
    </FilesMatch>

    you could change the htaccess code in that htaccess file so that you can whitelist ALL BPS plugin files

    Done, and all is well.

    I knew you would know, and I again thank you so very much!

    Plugin Author AITpro

    (@aitpro)

    Actually that code does not work. I grabbed and posted the wrong testing code. This code below does work. 😉

    Notes: The “Order” directive MUST be Deny,Allow and NOT Allow,Deny.

    # Whitelist all BPS plugin php files (recommended)
    SetEnvIf Request_URI "/wp-content/plugins/bulletproof-security/(.*).php$" whitelist
    # Whitelist ONLY the 403.php Security Logging template file (not recommended)
    #SetEnvIf Request_URI "/wp-content/plugins/bulletproof-security/403.php$" whitelist
    
    <FilesMatch "\.(php)$">
    Order Deny,Allow
    Allow from env=whitelist
    Deny from all
    </FilesMatch>

    The “Order” directive MUST be Deny,Allow and NOT Allow,Deny.

    I have made that change, and it makes sense. Having “Allow” first would be like letting everyone into the foyer and then trying to turn non-members away from the dining hall! However, I had assumed all was well after the first change since BPS had dropped the notice.

    Plugin Author AITpro

    (@aitpro)

    It’s a bit more complex than that. The check only looks in the wp-content htaccess file that “could” potentially break BPS Security Logging. The check is not capable of determining whether the code is “good/valid” or works correctly. 😉

    # Allow,Deny
    # First, all Allow directives are evaluated. At least one must match, or the request is rejected.
    # Next, all Deny directives are evaluated. If any matches, the request is rejected.
    # Last, any requests which do not match an Allow or a Deny directive are denied by default.
    #
    # Deny,Allow
    # First, all Deny directives are evaluated. If any match, the request is denied unless
    # it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.
    #
    # *Match* -------------------- *Allow,Deny result* -------------------- *Deny,Allow result*
    # Match Allow only ----------- Request allowed ------------------------ Request allowed
    # Match Deny only ------------ Request denied ------------------------- Request denied
    # No match ------------------- Default to second directive: Denied ---- Default to second directive: Allowed
    # Match both Allow & Deny ---- Final match controls: Denied ----------- Final match controls: Allowed

    The check is not capable of determining whether the code is “good/valid” or works correctly. 😉

    I have never had even the first doubt about letting BPS do whatever you tell it to do. 🙂

    I seem to be having the same problem, but your code does not work for me.

    Here is the code I’ve put into the wp-content/.htaccess:

    # Whitelist all WP-SpamShield plugin php files (recommended)
    SetEnvIf Request_URI "/wp-content/plugins/wp-spamshield/(.*).php$" whitelist
    
    <FilesMatch "\.(php)$">
    Order Deny,Allow
    Allow from env=whitelist
    Deny from all
    </FilesMatch>

    However whenever I visit any page, I still get this in the error_log:

    [error] [client 86.128.245.108] client denied by server configuration: /var/www/vhosts/*removed*/httpdocs/wp-content/plugins/wp-spamshield/js/jscripts.php, referer: http://www.*removed*.com/

    Any thoughts?

    Plugin Author AITpro

    (@aitpro)

    Do you have the Sucuri plugin installed? If so, do you have a LiteSpeed server? The Apache SetEnvIf directive is not supported on LiteSpeed servers and you would have to use alternative htaccess code that LiteSpeed can process.

    If not, then this is a completely different issue and a new thread should be created for this.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Sucuri 1-click Hardening wp-content .htaccess file problem detected’ is closed to new replies.