Is this plugin prevent path /directory traversal attack?

Hi @saravanankanagaraj and thanks for your message.

The Wordfence firewall has a rule turned on by default in Wordfence > All Options that checks for directory traversal attempts. Let me know if you’re seeing any issues with this.

Thanks,

Peter.

Hi @wfpeter ,

Thanks for the reply.
Can you please share more technical details. how it prevents path traversal attack?
Also, please tell me what is the use of below code in htaccess file.

# Wordfence WAF
<IfModule mod_php5.c>
	php_value auto_prepend_file '/var/www/html/example/wordfence-waf.php'
</IfModule>
<IfModule mod_php7.c>
	php_value auto_prepend_file '/var/www/html/example/wordfence-waf.php'
</IfModule>
<IfModule mod_php.c>
	php_value auto_prepend_file '/var/www/html/example/wordfence-waf.php'
</IfModule>
<Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>

Thanks,
Sakthivel

• This reply was modified 3 years, 2 months ago by Sakthivel.

Hi @saravanankanagaraj,

Directory traversal is prevented by Wordfence matching patterns in URL requests to your site such as “../../”, which would signify a traversal attempt that should be blocked.

The code between <IfModule mod_php5.c>...</IfModule> adds the WAF to your auto_prepend_file directive so that the firewall runs before your site hosts any content. This is a process that takes place during firewall optimization, if you’d like to read more about it.

The code below <Files ".user.ini"> denies access to anybody attempting to visit your .user.ini file directly.

Thanks again,

Peter.

Hi @wfpeter ,
Am using this plugin for more than one month, but recent zap tool reports show path traversal attack is possible.
I have already enabled the necessary options to prevent path traversal in the plugin.
Can you please tell me how to fix this issue by custom code or using your plugin?

https://ibb.co/whScYpy

Regards,
Saravanan