• webmistressofthedark

    (@webmistressofthedark)


    During this last election cycle I had a lot of scammers trying to break into my candidates’ websites.

    One scammer reproduced the front page of my Senator’s website using an iFrame to try to trick me into logging into the site and/or its email account for the domain. Of course I knew not to click on it but was furious they iFramed it.

    Now, every time I try to do an update WITHIN the wordpress admin, I get a warning that FireFox won’t open the page and then it tosses me into  maintenance mode. I have to go into FTP and delete the .maintenance file to be able to continue. Then for some reason I can do the minor updates etc.

    I have already inserted this code into the .htaccess file but I’m still getting the notice. How to fix? Is it correct or shouldn’t it say “deny from all” in the second line?

    <Files 403.shtml>

    order allow,deny

    allow from all

    </Files>

    Is there something else I should erase in FireFox to fix this?

    It’s driving me nuts… thanks.

    The page I need help with: [log in to see the link]

Viewing 9 replies - 1 through 9 (of 9 total)
  • Thread Starter webmistressofthedark

    (@webmistressofthedark)

    Update: It worked when I tested it. Are some of the admin files in WP ‘iFrames’????

    Tung

    (@htung)

    There is a method to block the cross-domain content calling and display with iFrame, you can try put in this code in htaccess:

    Header always append X-Frame-Options SAMEORIGIN

    Thread Starter webmistressofthedark

    (@webmistressofthedark)

    Do I copy that exactly and where in the htaccess file, anywhere? Thank you

    Tung

    (@htung)

    I will suggest you to put the code into root folder .htaccess file. Just paste in the code into anyway in .htaccess file will do

    @webmistressofthedark: The original snippet you provided has nothing to do with iframes. Neither does it provide security of any sort. And it surely doesn’t have anything to do with WordPress updates.

    If you were the “Jane” that posted on this StackOverflow Q&A about 5 hours ago, the downvote should have given you a hint.

    The traditional way to prevent iframing is to the X-Frame-Options HTTP response header. In your .htacess file (for Apache and drop-in replacements), you’d use a single line like this:

    Header set x-frame-options SAMEORIGIN

    This would prevent other sites from displaying your site in an iframe, but still allow you to iframe any of your site’s URLs on the same site (that’s the SAMEORIGIN bit).

    But this approach is deprecated in all modern browsers and may not always work as intended.

    The modern and recommended approach is to use the frame-ancestors directive in a Content-Security-Policy header.

    The easiest way to implement this would be to use a CSP/HTTP Headers plugin. If you’re using a general security plugin, it may already have iframe protection or general CSP headers capability built-in.

    And talking about general security, I highly recommend reviewing the Hardening WordPress document and implementing most (if not all) the recommendations. Even if you’re using a security plugin, it’s still a good idea to review this document to understand what features to enable in the plugin.

    Good luck!

    Thread Starter webmistressofthedark

    (@webmistressofthedark)

    Well I might have asked elsewhere but not sure why a downvote would tell me anything since I did not see it and the question was if the snippet my host gave me was correct. I guess if they downvote honest questions I don’t want to go there again.

    And I have no understanding of your explanation. I just want to know where to put what code.

    Thanks for nothing!

    I guess if they downvote honest questions I don’t want to go there again.

    That was not a question you (or whoever the “Jane” is) asked.

    It was a response — a wrong answer — to someone’s question and deserved the downvote.

    Thread Starter webmistressofthedark

    (@webmistressofthedark)

    The thread was asking about that code. The question was an additional query about the same code that was given by the host to add to the htaccess file. Sorry that the coding Gods were offended.

    I guess respect was lost after my generation.

    I guess respect was lost after my generation.

    Communities have ALWAYS had rules though, online or offline, irrespective of generation. And there are often consequences when those rules are not followed, with ignorance not being a widely accepted excuse.

    Anyway, I’m unsubscribed and out of this thread.

    Good luck!

Viewing 9 replies - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.