philweb e-games,Events near me today.REGISTER NOW GET FREE 888 PESOS REWARDS!

Resolved jiraz
(@jiraz)

2 years, 1 month ago

Following this problem,
https://www.ads-software.com/support/topic/cannot-access-admin-403-forbidden/

I found the same and fixed by enable to DIRECT PHP FILES ACCESS

But Cloudways warn me that

Secure your wordpress application by blocking direct access to your php files. Abusers usually exploit them to upload backdoor access files or malware to your website.

So, i worry about it.
Do you have any suggestion?

The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)

mattmary
(@mattmary)

2 years, 1 month ago

Hi @jiraz

Unfortunately, we need access to PHP files to access Matomo.

The only solution I can see is to set a rewrite rule in your plugin folder, which will redirect all PHP access to a 403 error except for the Matomo plugin.
Kind regards

Mat

mattmary
(@mattmary)

2 years, 1 month ago

Hi @jiraz

This security rule is designed to block access to the PHP files included in the plugins folder. This can be a security issue if you install plugins with a back-door: attackers will enter this back-door from the plugin folder.
Some others plugins like the IThemes security plugin provide a similar feature too.

It can be interesting to do that when your WordPress plugins are only customisation for your WordPress.
Unfortunately, it excludes usage of software solutions like Matomo to be in the plugins subfolder. And for now, we have no other design option to add Matomo on WordPress.

It seems that your hosting provider made a choice to restrict this access without asking you. It’s a hosting approach, which has its pros and cons.

What your solutions are?
You can definitively switch to Matomo on premise: you won’t have to update this configuration rule.
Unfortunately, with our plugin, we need to allow access to PHP files, at least in the Matomo plugin subfolder. Enabling this rule does not really create a bottleneck in your architecture: Matomo is security hole free for now, and we have a strong security program to reduce their number https://matomo.org/security/

Let me know if you need further assistance.

Kind regards

Mat

Thread Starter jiraz
(@jiraz)

2 years, 1 month ago

Hi Mat,

Thank you for explaining.

What worries me isn’t Matomo Security, but rather other plugins. When I grant Matomo direct access to a PHP file, I also grant access to other bad things.
mattmary
(@mattmary)

2 years, 1 month ago
Hello @jiraz

If you want to allow only access to Matomo, you could add something like that in your .htaccess file:
```
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteCond %{REQUEST_URI} ^/wp-content/.+\.php$
	RewriteCond %{REQUEST_URI} !/matomo/app/
	RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
```
It would redirect any request to a PHP file (except the Matomo one) to a 403 error.
I didn’t test it, but it should work.

Kind regards

Mat
mattmary
(@mattmary)

2 years ago

Hello @jiraz

Did my answer solve your problem?

Kind regards

Mat

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘DIRECT PHP FILES ACCESS – is the only way to access reporting page?’ is closed to new replies.