Security Issue – hide user.ini file

  • Resolved gamepow

    (@gamepow)


    4 years, 3 months ago

    A wordfence recent scan found a publicly accessible config, backup, or log file : .user.ini.

    I clicked “hide” via the button in WordFence, and it update the .htaccess file and added this.

    # Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>

# END Wordfence WAF

    However, .user.ini is still viewable publicly.

    I’m usng apache and not nginx. Most of the forum posts are for nginx.

    Also sending a diagnostics email to wftest @ wordfence . com after this post. Please check. Thank you!

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    4 years, 3 months ago

    Hi @gamepow,

    I spent a little time looking into this as, like you say your server seems to be set up correctly for using .user.ini and .htaccess files without some of the other common issues. I was able to see the file from my end though, so it is indeed still visible.

    I have noticed that you have mention of Cloudflare CDN and a Cloudflare IP in “IP(s) Used by this server”. The Cloudflare cache has notably in the past cached the first file returned for a specific URL/path and I’m wondering if that’s the case here. You may need to clear the cache to get the correct result for the updated .htaccess rules.

    Let me know how you get on!

    Peter.

    Thread Starter gamepow

    (@gamepow)

    4 years, 3 months ago

    Hi @wfpeter,

    Thanks for the response.

    Yes, we use Cloudflare and cleared all of my cache on Cloudflare already but the .user.ini is still exposed.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Security Issue – hide user.ini file’ is closed to new replies.

Tags