WP-Includes Hardening Broke Multisite Images & TinyMCE (Fix Inside)

  • Resolved KZeni

    (@kzeni)


    8 years, 1 month ago

    I have a site which recently got the mod_authz_core.c module added and it’s a multisite install. However, the WP-Includes Hardening .htaccess rules were set to:

    <FilesMatch "\.(?i:php)$">
  <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
  </IfModule>
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
</FilesMatch>
<Files wp-tinymce.php>
  Allow from all
</Files>
<Files ms-files.php>
  Allow from all
</Files>

    Unfortunately, this still leaves the mod_authz_core.c rule of “Require all denied” active for wp-tinymce.php and ms-files.php (which are only set to allow per the non-mod_authz_core.c method.

    I’ve updated the wp-includes/.htaccess to the following to fix this issue:

    <FilesMatch "\.(?i:php)$">
  <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
  </IfModule>
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
</FilesMatch>
<Files wp-tinymce.php>
  Allow from all
  Require all granted
</Files>
<Files ms-files.php>
  Allow from all
  Require all granted
</Files>

    I’d love to see this updated version of the hardened wp-includes .htaccess file included in a future version of Sucuri Security so this resolves this potential issue for everyone and for all of my WordPress sites in an official way.

    Thank you!

    https://wordpress.org/plugins/sucuri-scanner/

Viewing 6 replies - 1 through 6 (of 6 total)
Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘WP-Includes Hardening Broke Multisite Images & TinyMCE (Fix Inside)’ is closed to new replies.