WordPress.org

Support

Support » Plugins and Hacks » BulletProof Security » [Resolved] wp-content in htaccess

[Resolved] wp-content in htaccess

Viewing 14 replies - 1 through 14 (of 14 total)
  • Plugin Author AITpro

    @aitpro

    It is not recommended that you change the wp-content folder path since trying to hide things will never be a real security measure. It would be a very simple thing to find the new wp-content folder name so there is really no point in changing the wp-content folder name at all.

    The most effective security approach is an Action Security Approach based on bad actions.

    bad hacker X does bad action Y and Z is the result = Forbidden/blocked/etc.

    BPS uses WordPress Constants for the wp-content directory/folder WP_CONTENT_DIR and all other WordPress directories/folders. If you are doing some other method of hiding the wp-content folder that is not using a WordPress Constant then BPS will not be able to detect that directory/folder location. You should always use WordPress Constants if you are going to change the normal/standard WordPress structure/architecture.

    If you are using WordPress Constants and you use the BPS AutoMagic buttons then BPS will find and write the correct new folder name/path that you have created for your wp-content folder.

    Perhaps, I’m not very clear. I’m already used WP_CONTENT_DIR at wp-config.php but when I use BPS AutoMagic buttons the secure.htaccess in bulletproof-security\admin\htaccess contains “wp-content” instead or WP_CONTENT_DIR f.e. ErrorDocument or Plugin Exploit Rules.

    Plugin Author AITpro

    @aitpro

    oh ok now I understand what you are saying. Yes, you are correct that file does contain the literal “wp-content” folder name. It is only a demo/temporary file. When you use/click the AutoMagic buttons that demo/temporary file is overwritten with your actual website’s real information.

    Plugin Author AITpro

    @aitpro

    If clicking the Create secure.htaccess file button does not overwrite this demo/temporary file then there is a permissions or Ownership issue/problem going on where BPS is not allowed to write to this file due to file permission or Ownership restrictions on your Server. Check the Edit/Upload/Download page and you should see this – File Open and Write test successful! The secure.htaccess file is writable. If you see an error saying that the file is not writable then post that error.

    But, I don´t think so because I can see the literal “wp-content” in “options.php”. I think that this is the reason why it doesn´t work me f.e. log 403 errors.

    I check it ( Edit/Upload/Download page ) and I can see this: “File Open and Write test successful!”.

    Plugin Author AITpro

    @aitpro

    Oh yeah actually you are correct. We left wp-content in those particular .htaccess file writing areas for some reason. I believe it caused the write process to break for everyone else who is using the standard/normal WordPress wp-content folder path/name. You will need to manually change this in your root .htaccess file.

    Thanks, but I suppose that this bug will be solved in the next release.

    Plugin Author AITpro

    @aitpro

    We will have to add an additional option for folks who have decided to change their wp-content folder name so that this does not break everyone else’s websites during the .htaccess file writing process. 😉 This is the only area in BPS where we are using the literal wp-content path. Everywhere else the WP_CONTENT_DIR constant is used.

    Thanks.

    Plugin Author AITpro

    @aitpro

    Actually this has been completed by someone already. It will be added/included in BPS .48.4.

    Plugin Author AITpro

    @aitpro

    This has been added/included in BPS .48.4. Resolving.

    I actually just created a forum account to ask a question along similar lines to this. I installed Better WP Security and used the change wp-content folder option (unfortunately no option given to undo). after searching for posts and articles about if that was a feature that was worth the complications, with no results, this answers my question. Thanks. 🙂 Luckily I did find a way to (hopefully) manually undo the change. For anyone else who needs to do this the link is here:
    Luckily I haven’t actually added any content on this install yet.

    Plugin Author AITpro

    @aitpro

    Great thanks! The whole concept of hiding/changing the wp-content folder name is silly because if a cURL scan is done on the site searching for a bit of code that has a known vulnerability or exploit then whatever the new name for the wp-content folder is will be displayed in that cURL scan. Silly. 😉

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘[Resolved] wp-content in htaccess’ is closed to new replies.
Skip to toolbar