Impossible to hide .user.ini

Resolved engray95
(@engray95)

2 years, 11 months ago
Hello, I’m having same issue as at https://ww.wp.xz.cn/support/topic/impossible-to-hide-user-ini-file-publicly-accessible/

I already have following lines added to .htaccess, also I’m not using Openlitespeed at least according to my hosting’s support.
```
<Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>
```
I’ve sent diagnostics from my website to wftest @ wordfence . com

I’d much appreciate your help 🙂

Viewing 5 replies - 1 through 5 (of 5 total)

Plugin Support wfpeter
(@wfpeter)

2 years, 11 months ago

Hi @engray95, thanks for your message.

Did you include your forum username with the diagnostics, as I’m not able to find anything sent today other than a Wordfence activity log from nic**** @ l***-********e . com (if you recognize that redacted information as yours).

It’s actually the diagnostics report we need, so try downloading the txt file from Wordfence > Tools > Diagnostics. You can then send that to wftest again, with your forum username in the subject line, with the txt file attached from your email account. Just reply again here afterwards so I can go look it up.

Thanks,
Peter.

Thread Starter engray95
(@engray95)

2 years, 11 months ago

Thanks for getting in touch! Nope, it’s not from me, maybe it didn’t go through because I was doing it using smartphone.

I’ve just now manually sent an email containing mentioned txt debug file, it should be delivered by now.
Plugin Support wfpeter
(@wfpeter)

2 years, 11 months ago
Hi @engray95, thanks for sending that over.

I see that your server is FPM/FastCGI, so your .htaccess should contain:
```
# Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
</IfModule>
</Files>
# END Wordfence WAF
```
If it doesn’t, try manually adding it. Your .user.ini should already contain:
```
; Wordfence WAF
auto_prepend_file = '/home/xtpl/domains/your.domain.here/public_html/wordfence-waf.php'
; END Wordfence WAF
```
I notice that our diagnostic says that “auto_prepend_file” is active, as expected so that’s probably already there. However, on some FastCGI sites, it is required to set that line in php.ini instead. If you are able to put auto_prepend_file = '/home/xtpl/domains/your.domain.here/public_html/wordfence-waf.php' in php.ini, you could instead blank or remove .user.ini to eliminate this warning.

Let me know how you get on!
Peter.
Thread Starter engray95
(@engray95)

2 years, 11 months ago
Thanks for checking that for me @wfpeter !

I checked and indeed my .htaccess file contains below:
```
# Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
</IfModule>
</Files>
# END Wordfence WAF
```
I checked with my hosting provider – unfortunately, it’s impossible to set anything in php.ini as it’s shared hosting. It’s only possible to modify php settings via .user.ini

Any ideas on how to hide this file? 😀
Thread Starter engray95
(@engray95)

2 years, 10 months ago
@wfpeter and other users that might have same issue – I was finally able to hide .user.ini. To do it, I replaced
```
<Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>
```
with simpler condition:
```
<Files ".user.ini">
    Order allow,deny
    Deny from all
</Files>
```
website and WF are seem to be working properly after the change.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Impossible to hide .user.ini’ is closed to new replies.