Critical Security Issue – .user.ini found publicly accessible

  • Resolved cindy c

    (@cindy_conlinyahoocom)


    2 years, 4 months ago

    Hi there,
    I received a scan result that there’s a publicly accessible .user.ini file. And yup, I checked it using the https://example.com/.user.ini and it can be viewed.

    I’ve read several threads that talk about a button to hide it. My site is on Dreamhost, so I don’t know exactly what to do without that button. I’m familiar with .htaccess but didn’t find code that I would need to add.

    Thanks in advance,
    Cindy

Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @cindy_conlinyahoocom, thanks for getting in touch.

    If you’re familiar with .htaccess, I have no problem sending you the code that you should need to add in order to combat this result:

    <Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>

    If you’re not running your site on NGINX, you can ignore the next section but I just want to make sure I’ve covered all possibilities. If you are on NGINX, you will need to instead append the following directives to the server context of the nginx.conf file:

    location ~ ^/\.user\.ini {
deny all;
}

    If the WordPress installation resides in a subdirectory, add the path portion of the URL to the pattern such as:

    location ~ ^/wordpress/\.user\.ini {
deny all;
}

    Here is a link to our docs about this process:
    https://www.wordfence.com/help/firewall/optimizing-the-firewall/#hide-userini-nginx

    Let me know if it helps!

    Peter.

Viewing 1 replies (of 1 total)
  • The topic ‘Critical Security Issue – .user.ini found publicly accessible’ is closed to new replies.