Can’t hide user.ini file publicly accessible

  • Resolved Merkucio

    (@merkucio)


    2 years, 2 months ago

    Hello,

    user.ini file is publicly accessible. Click to fix .htaccess doesn’t work.
    This code is twice in .htaccess file.

    <Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>

    I tried to send the report from the Wordfence Tools/Diagnostics page, but got the Error. There was an error while sending the email.

    Thanks.

    • This topic was modified 2 years, 2 months ago by Merkucio.

    The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @merkucio, thanks for getting in touch.

    I’d definitely like to see the diagnostic to see if there are any configuration issues, and whilst the email sending issue may be totally separate there could be some problems with how the server is set up if the .htaccess rules are also not having any effect.

    The Wordfence diagnostic can be exported as a txt file on the Wordfence > Tools > Diagnostics page, which could be sent directly to the wftest @ wordfence . com email address from your personal/work email. Remember to put your forum username in the email’s subject line and let me know here you’ve sent it so I can try finding it there instead and I’ll take a look.

    Thanks,

    Peter.

    Thread Starter Merkucio

    (@merkucio)

    Hello @wfpeter,

    Thanks for your reply. Just sent.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @merkucio, thanks for the diagnostic report!

    I can see now that you’re on Bitnami, and I’ve seen this come up on that platform before. Whilst our code does add to the .htaccess file in document root to hide the .user.ini file, as you stated, our code actually needs to be added to both of these files:

    /opt/bitnami/apache/conf/vhosts/wordpress-https-vhost.conf
    /opt/bitnami/apache/conf/vhosts/wordpress-vhost.conf

    That should resolve your issue,

    Peter.

    Thread Starter Merkucio

    (@merkucio)

    Done, but…

    Publicly accessible config, backup, or log file found: .user.ini
    Type: Publicly Accessible Config/Backup/Log

    Screenshots
    https://ibb.co/GCt9M0n
    https://ibb.co/gg1SWfv

    And what I did wrong?

    Thread Starter Merkucio

    (@merkucio)

    helloooooo))

    Plugin Support wfpeter

    (@wfpeter)

    Hi @merkucio,

    I see the code you’ve added shouldn’t be causing this to still be flagged. Are you running any caching on your server or as a WordPress plugin that should be cleared? Try also restarting your server as the conf changes won’t take place until they’re read again during a startup.

    Thanks,

    Peter.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Can’t hide user.ini file publicly accessible’ is closed to new replies.