Wordfence Issue: Publicly accessible config, backup, or log file found

  • Resolved cartercoupons

    (@cartercoupons)


    7 years, 1 month ago

    There is an issue showing in Wordfence notifications

    Publicly accessible config, backup, or log file found: .user.ini

    URL: https://www.cartercoupons.com/.user.ini
    Severity: Critical
    Status New

    https://www.cartercoupons.com/.user.ini is publicly accessible and may expose source code or sensitive information about your site. Files such as this one are commonly checked for by scanners and should be made inaccessible. Alternately, some can be removed if you are certain your site does not need them. Sites using the nginx web server may need manual configuration changes to protect such files.

    How solve this issue or i simply ignore it?

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)

  • No. Don’t ignore it. It exposes the username and path of the WordPress installation. You may ask your host to deny access to all files starting with a dot.

    Hi @cartercoupons,

    This is related to a new check implemented in Wordfence scans.

    Please see this topic which addresses the same question.

    Thread Starter cartercoupons

    (@cartercoupons)

    @pothi Thanks a lot for a quick solution.

    We use inmotionhosting.com and the .user.ini file is accessible by default.

    Added the following code to .htaccess file and it took care of it:

    <filesMatch “\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$”>
    Order Allow,Deny
    Deny from all
    </filesMatch>

    Reference Article: https://www.inmotionhosting.com/support/website/protecting-files/restrict-public-access-php-ini

    ScottAgirs

    (@scottagirs)

    Hey guys, could anyone advise on what how to deal with this on Nginx servers?

    Many thanks in advance,
    Scott

    If you can modify and apply Nginx configuration on your host, then appending the following line within the server block would do…

    location = /.user.ini { deny all; }

    ScottAgirs

    (@scottagirs)

    @pothi – awesome, thank you!

    If I have several Server Blocks running on the same server, can I apply this to all of the Server Blocks by appending this line to server block in sites-available/default file?

    Cheerio,
    S

    • This reply was modified 7 years ago by ScottAgirs.
    • This reply was modified 7 years ago by ScottAgirs.
    ScottAgirs

    (@scottagirs)

    Update:
    I just tried appending the location = /.user.ini { deny all; } to sites-available/default file and it did not work, had to add it to a domain-specific file sites-available/specific.com !

    S

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Wordfence Issue: Publicly accessible config, backup, or log file found’ is closed to new replies.

Tags