jkling

Sure not. I am aware of this.
Infact I log out and delete cache and cookies, before I reload the phpinfo.

Hi,

https://snag.gy/fgshCp.jpg

Hi,

I use this .htaccess file in the wp-admin at least on 15 WordPress websites.
Apparently none of them needs the built-in-ajax.php.

This code in the .htaccess fixes the problem

<Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any 
</Files>

Thank you for the clue.

Best regards
Jürgen

Hi
currently I am only able to run WordPress WAF mode on my hosting account. Because auto_prepend_file fails. I am working on it. But what experiences did you have in detail, when WordPress WAF mode did not stop the hackers?
Best regards
Jürgen

Now I saw this for the frist time

“It seems that the user session set by NinjaFirewall was not found by the firewall script.”

What next?

Hello,

Some more improvements, when you will work on the cookie

SameSite=strict
Cookie Prefixes __Secure- __Host-

to make WPNF great again ??

Best regards
Jürgen

Hi,

the different approaches of the scanners may be an explanation.
But is is still confusing, why in my case both values are shown or none.

The results with .htaccess

1) securityheaders.com
Strict-Transport-Security max-age=31536000 (NFW value)
Warnings There was a duplicate Strict-Transport-Security header

2) https://www.htbridge.com
The header is properly set.
Strict-Transport-Security: max-age=15768000; includeSubDomains (htaccess value)

3) observatory.mozilla.org
Test Scores
HTTP Strict Transport Security (HSTS) header cannot be recognized
Raw Server Headers
max-age=31536000, max-age=15768000; includeSubDomains (both)

The results without .htaccess

1)securityheaders.com
Strict-Transport-Security max-age=31536000 (NFW value)
No Warnings

2) https://www.htbridge.com
The header is properly set.
Strict-Transport-Security: max-age=31536000

3) observatory.mozilla.org
Test Scores
HTTP Strict Transport Security (HSTS) HTTP Strict Transport Security (HSTS) header set to a minimum of six months (15768000) CRAZY??? maybe some weird caching
Raw Server Headers
max-age=31536000

/*** And finally the big surprise of the day ***/
4) webbkoll.dataskydd.net
Strict-Transport-Security YES, max-age=31536000

Last time it failed. This failure was the reason for my request.
My resumee: whatever a scanner tells you, NFW works ??

Best regards
Jürgen

Hello,

your are kidding. PHPSESSID is a PHP Session cookie ? ??
Ok your default assumption was, that every vist is a session.
But in fact it is not really obligatory, until someone tries to log in.
It’s my personal goal to run a “non cookie policy” as long as possible.
Thx
Jürgen

I can only find

Other Options
– Image Options
– Thumbnail Options
– Lightbox Effects
– Watermarks
– Styles
– Roles & Capabilities
– Miscellaneous

But that won’t solve my problem, I think. Because the new path will be like this:
src="https://other-domain/nextgen-attach_to_post/preview/id--816"
I only need to adjust the wordpress-url to get this

why does this one don’t work?
src="/nextgen-attach_to_post/preview/id--816"

I guess the reset would not affect already postet gallery-links in the content of posts or pages.

In general I try to avoid all absolute paths.