Bug Report – Restrict wp-includes access

Thanks for the report; the current version of the code creates three rules in the access control file [1]: one to block the direct access to any PHP file, the second one to whitelist the “wp-tinymce.php” file required to render the visual editor, and the last one to whitelist “ms-files.php” required to render the file manager.

You can see that the rules are using the Apache +2.4 syntax, it is possible that the server where your website is being hosted is not compatible with these rules and that is why the whitelist of the “wp-tinymce.php” file is not working. Please share more information about your web server so I can reproduce the issue and fix it as soon as possible.

[1] https://cixtor.com/pastio/2hz6b3

I too am having this same issue across multiple sites.

This is how it is writing the .htaccess file on one of the sites in question:

<FilesMatch “\.(?i:php)$”>
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</FilesMatch>
<Files wp-tinymce.php>
Allow from all
</Files>
<Files ms-files.php>
Allow from all
</Files>

Hi again,

Yorman, could you be more specific about which details you need to replicate the issue.
I’m not very familiar with server setup details.

I’m pretty sure I’ve isolated the apache version – 2.4.6
Running on a plesk panel server full RPM – 2.4.6-31.el7.centos.1

Stereotonic,

Unless you’ve got very larger and secure sites running sucuri, temporarily reversing the wp-includes hardening worked well for me and should help you out.

I also reverted hardening on wp-includes and that fixed the issue for me, too.

Comparing @stereotonic ‘s code [1] and mine [2] we can see the difference, that difference is what is causing the issue; thanks @peachey_a for the information you provided. I am pretty sure that this is already fixed in the development version of the code [3] but we will need to wait some time until the QA team decides that everything in the new changes is working before we can see a new public version with the fixes.

Alternatively, you can download the development version of the code from the official repository, there will not be a problem once the official version is released, so I suggest you to do this if you want to apply the hardening to the includes folder now.

Note. I will keep this ticket marked as not-resolved until the new version of the plugin is officially released so other people facing the same problem can get the same information as the people participating in this thread. Thanks for your patience.

[1] https://cixtor.com/pastio/nhgkcf
[2] https://cixtor.com/pastio/2hz6b3
[3] https://github.com/Sucuri/sucuri-wordpress-plugin

I have the same problem.
It also stops my site sliders working (RoyalSlider).

@wpelvis I guess you are talking about the hardening of the content directory which is where the slider is storing the PHP files where it generates the slider, or something similar (I do not know how RoyalSlider exactly works, just a guess). There is an additional panel in the hardening page where you can whitelist individual PHP files if you trust them, in this case you need to whitelist the PHP file(s) that are used by RoyalSlider.

But please everyone use the development version of the plugin [1] for now, it already includes the fix for the issue reported in this thread among other things that have been reported by other users in different tickets, we will release the new version when the new code is fully tested.

[1] https://github.com/Sucuri/sucuri-wordpress-plugin