Blocked by server: request to replace ico files

  • Resolved tezalsec

    (@tezalsec)


    2 days, 16 hours ago

    Hi, could you replace your ico files to png files, please?

    I get errors on
    mainwp/icons/favi-1-favicon.ico
    mainwp/icons/favi-2-favicon.ico
    mainwp/icons/favi-3-favicon.ico
    mainwp/icons/favi-4-favicon.ico
    mainwp/icons/favi-5-favicon.ico
    mainwp/icons/favi-6-favicon.ico
    mainwp/icons/favi-7-favicon.ico
    mainwp/icons/favi-8-favicon.ico

    Your use of ico files triggers “client denied by server configuration” rules in the fail2ban software on the server, banning my IP after a few pageloads in the backend.

    Example Entry causing it:? [Tue Nov 19 13:45:34.884521 2024] [access_compat:error] [pid 1382672:tid 140331907524160] [client xxx:0] AH01797: client denied by server configuration: /var/www/vhosts/xxx/wp-content/uploads/mainwp/icons/favi-4-favicon.ico

    Apparently my server, using DEFAULT apache rules, is not happy with your use of ico files here. All other wordpress plugins use png, svg, etc.. for their small image files and they do not trigger same errors.

    More info why you should not use ico files in WordPress at all:
    https://wordpress.stackexchange.com/questions/415084/why-cant-i-upload-ico-files-to-wordpress

    Thanks for considering.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support Bojan Katusic

    (@bojankatusic)

    Hi @tezalsec,

    Thanks for pointing this out and for providing detailed information about your server configuration and the challenges with .ico files.

    Currently, MainWP fetches favicon files directly as they exist on child sites, which means if a child site has?.ico?files for favicons, that’s what gets retrieved and displayed without any conversion.

    However, you can manually upload a custom icon on the Edit page of a Child site. This way, you can bypass?.ico?files altogether by providing a?.png?or other preferred file formats directly.

    To address your suggestion of always using?.png?for favicons by converting .ico, you’re welcome to submit this as a feature request on our?Feedback?Site. That helps us gauge user interest and prioritize potential changes.

    Thread Starter tezalsec

    (@tezalsec)

    Thanks for the response. I never realized MainWP was fetching those, and I have never seen them as I have apparently hidden them from the start, deeming them unnecessary bloat.

    I do wonder if it is a good idea to just fetch them. I read about how it can be unsafe to host ico files, especially in other locations than root.

    Another thing is that often people just rename their png to ico extension, which means by fetching them you invite mimetype errors to the MainWP dashboard site. This might be the case with my sites (as favicon.ico in root), but they never triggered any server errors or WordPress rejects.

    Maybe you could just check the mimetype before rendering and fallback to an image of your own in case of a fetched ico file with wrong mimetype. WordPress itself rejects that too…

    What is the “Edit page of a Child Site”? To what page are you referring?

    I assume it would be a good idea to do something about this anyway. Either convert to png, or check mimetype before rendering, or not download them at all when disabled in the table view, or making downloading them optional in the settings. For security and WordPress conformity reasons. I shouldn’t have to do a feature request for that.

    • This reply was modified 2 days, 10 hours ago by tezalsec.
    • This reply was modified 2 days, 10 hours ago by tezalsec.
    Thread Starter tezalsec

    (@tezalsec)

    I just noticed I forbid ico extension in a htaccess file in the wp-content folder, created years ago. ??
    So consider it solved. Not taking away having foreign ico files fetched, with possible mimetype issues, is still something to take serious and maybe should be avoided.

    Thanks.

    • This reply was modified 2 days, 10 hours ago by tezalsec.
Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.