Impossible to hide user ini file publicly accessible

  • Resolved tonylaw

    (@tonylaw)


    4 years ago

    Hi there,

    A recent scan found a publicly accessible config, backup, or log file : .user.ini.

    I tried to “hide” via the button in WordFence, but that did not update .htaccess.

    The .user.ini file on my site only contains this code : ; Wordfence WAF
    auto_prepend_file = ‘/var/www/html/wordfence-waf.php’
    ; END Wordfence WAF.

    I guess delete it is not an option right ?

    I don’t know how to fix this since i’m also having trouble optimizing the WAF.

    Can someone help me to fix these issues please ?

    Many thanks,

    Tony

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @tonylaw, thanks for seeking our help on this issue.

    The .user.ini file is created during the Firewall Optimization process. At the same time, usually code is added in .htaccess which prevents access but this doesn’t seem to have happened.

    Make sure to add this code in your .htaccess:

    <Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>

    Let me know how you get on.

    Thanks,

    Peter.

    Thread Starter tonylaw

    (@tonylaw)

    Hi @wfpeter thank you for your feedback ! Let me try this and come back to you.

    Many thanks !

    Tony

    Thread Starter tonylaw

    (@tonylaw)

    Hey @wfpeter , i noticed that the code you gave me was already there twice.

    What do you think i should do ? Adding the code again won’t change anything right ?

    Thank you for your answer.

    Tony

    Plugin Support wfpeter

    (@wfpeter)

    Hi @tonylaw,

    Just so I can attempt to view the file and see a bit of config info around this, can you please send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

    Note: For the fastest response time, please make sure and add any information or questions directly to this topic and not the email address above unless asked.

    Thanks,

    Peter.

    Thread Starter tonylaw

    (@tonylaw)

    Hi @wfpeter,

    Report is sent. Sorry for the late answer ;(

    Waiting for you feedback and help.

    Many thanks !

    Tony

    Plugin Support wfpeter

    (@wfpeter)

    Hi @tonylaw, thanks for providing me with that.

    I am now able to see that you’re using Openlitespeed which requires a different setup for optimizing the WAF as it does not observe the .htaccess, see the bottom of the following page:

    https://www.wordfence.com/help/firewall/optimizing-the-firewall/troubleshooting/

    After following those steps you can delete the .user.ini file as it can’t be used anyway so there’s no need to then hide it.

    Thanks,

    Peter.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Impossible to hide user ini file publicly accessible’ is closed to new replies.