Publicly accessibile .user.ini file

  • Hi Wordfence,

    A critical issue was found on a WF scan:

    Details: https://example.com/.user.ini is publicly accessible and may expose source code or sensitive information about your site. Files such as this one are commonly checked for by scanners and should be made inaccessible. Alternately, some can be removed if you are certain your site does not need them. Sites using the nginx web server may need manual configuration changes to protect such files. Learn more

    The contents of the file are:

    ; Wordfence WAF
auto_prepend_file = '/opt/bitnami/wordpress/wordfence-waf.php'
; END Wordfence WAF

    Should this file be deleted?

    The file permission is 664

    • This topic was modified 10 months, 2 weeks ago by oneoption.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter oneoption

    (@oneoption)

    Although the owner is different – perhaps this is the issue?

    View post on imgur.com
    Plugin Support wfpeter

    (@wfpeter)

    Hi @oneoption,

    The code inside the .user.ini file is our Wordfence firewall optimization code, so removing it may return the firewall back to “Basic Protection” and prompt you to re-optimize from within WordPress.

    With previous cases of running Wordfence on Bitnami configurations, the code that is usually added when “HIDE FILE” from the scan is chosen does need to be added to both of these files:

    /opt/bitnami/apache/conf/vhosts/wordpress-https-vhost.conf
    /opt/bitnami/apache/conf/vhosts/wordpress-vhost.conf

    <Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>

    You can also change AllowOverride to All instead of None in these files and restart Apache to ensure it reads your changes.

    Thanks,
    Peter.

    Thread Starter oneoption

    (@oneoption)

    Thanks for the help. These changes were made and apache was restarted. Is it best practice to “Mark As Fixed” this issue in the Scan page?

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Publicly accessibile .user.ini file’ is closed to new replies.