Keeping PHP execution on with Defender

It takes me forever to find anything in the Defender plugin. GRRR!!! People keep telling me to change my plugin to more of a Dashboard settings thing. There has to be better way of doing things than what Defender is doing. Ugh.

So I just looked at the Defender exclude option and the problem is that you can only exclude singe files and not entire folders. So it is useless.

Blocking php file access under the wp-content folder is a terrible idea that a few WP security plugins are doing. That breaks things in the BPS plugin and also breaks things in many other plugins and themes. So the best solution is to turn that ridiculous option off.

I don’t see an easy way to disable or turn off the horrible setting, which is absurd. Yes, I am very irritated at this point. I guess you will have to manually edit the Defender /wp-content/.htaccess file. Horrible Ugh.

Wow. When you delete the Defender plugin the /wp-content/.htaccess file is not deleted. Horrible.

Additionally I saw WP Cron errors until I manually deleted the Defender /wp-content/.htaccess file. Ugh.

Also this is worth pointing out > hackers have been using .ico files for years now to to beat .php file blocking. ?? They put .ico files in the WP /plugins/ folder and execute their hacker code with the .ico files instead of using .php files. So blocking .php files is useless against that very common hacking method.

Less grouchy today. It really bothers me though that plugin creators just copy existing features in other plugins without researching whether or not those features have any real value or not. Another feature that is ridiculous is disabling the Theme and Plugin Editors. If a website is already hacked then disabling the Theme and Plugin Editors is not going to prevent a hacker from editing Plugin or Theme files. Hackers upload a hacker Shell script to the hosting account, which gives the hacker full control of a hosting account. File editing, creation, deletion and database access.

Defender does have some features with actual value. The Prevent PHP execution and disabling file editing features do not have any value/usefulness.

• This reply was modified 3 years, 4 months ago by AITpro.

If you want to keep using the Defender Prevent PHP Execution feature you will need to manually edit the /wp-content/.htaccess file and add this BPS plugin folder whitelist htaccess code. I may decide to automate this in BPS instead of displaying a warning alert about this problem.

## WP Defender - Protect PHP Executed ##
SetEnvIf Request_URI "bulletproof-security/.*$" whitelist
<Files *.php>
Require env whitelist
Require all denied
</Files>
## WP Defender - End ##

Note: Defender is assuming that the Apache mod_authz_core module is available and loaded. Most web hosts should now have this module available and loaded, but the correct way to ensure that is to use IfModule conditions like this below. If a host does not have the mod_authz_core module loaded then the site will probably crash with a 500 error. So yeah this is pretty important.

## WP Defender - Protect PHP Executed ##
SetEnvIf Request_URI "bulletproof-security/.*$" whitelist
<Files *.php>
<IfModule mod_authz_core.c>
Require env whitelist
Require all denied
</IfModule>
</Files>
## WP Defender - End ##

• This reply was modified 3 years, 4 months ago by AITpro.

Some hosts may not have the setenvif_module module loaded. So to prevent problems and to be 100% code correct this is the correct code to use.

## WP Defender - Protect PHP Executed ##
<IfModule mod_setenvif.c>
	<IfModule mod_authz_core.c>
		SetEnvIf Request_URI "bulletproof-security/.*$" whitelist
		<Files *.php>
		Require env whitelist
		Require all denied
		</Files>
	</IfModule>
</IfModule>
## WP Defender - End ##

Assuming all questions have been answered – the thread has been resolved. If the issue/problem is not resolved or you have additional questions about this specific thread topic then you can post them at any time. We still receive email notifications when threads have been resolved.

Thanks so much for this, I didn’t get the updates through! I feel your pain. I just found my own post searching the issue again ??

I really appreciate this, I’ve used your plugins on my sites for much longer than any of the newer ones have been around!

I decided to automate this solution. BPS 5.5+ and BPS Pro 16.1+ automatically add a whitelist rule for the BPS/BPS Pro plugin folder. I removed the error check since this is now automatically fixed.

Hello,

I found this topic by looking for solutions for defender when it’s preventing php execution. I have a few questions:
1) Can your plugin and defender be used together, what’s the benefit of using both? Would the features not conflict?
2) I see you’re here explaining that hackers have been using .ico files for years now to to beat .php file blocking. Do you have a solution against this hack?

1. The general rule when using 2 plugins that do similar things is that you would choose the feature in 1 plugin that does something similar and turn off that similar feature in the other plugin. Yep, BPS should work fine with Defender, but I have not extensively tested that plugin. So I cannot provide any sort of answer about benefits or conflicts.

2. BPS protects against hacker .ico files. Eventually other security plugins will catch on and do the same thing.