Lock and Protect System Folders Issue: blocking a needed script

  • Resolved antoniop80

    (@antoniop80)


    6 months, 1 week ago

    Hello there,

    Due to the option “Lock and Protect System Folders” being active, the TranslatePress plugin is unable to access the needed php script for the translations (/wp-content/plugins/translatepress-multilingual/includes/trp-ajax.php). Gives a 403 error (forbidden).

    I was able to pinpoint the issue by disabling plugins consecutively and within Security Optimizer going through the options.

    The link added regarding the page I need help with is just an example since the issue happens sitewide.

    Is there a way to keep the lock in place but to exclude specifically the Translate Press folder?

    Thank you in advance,

    Antonio

    The page I need help with: [log in to see the link]

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Support Simeon Boev

    (@k3llanved)

    Hello @antoniop80,

    The security feature employs .htaccess files to enforce rules. For example, the .htaccess file located in the wp-content/ folder of your website applies these rules to all subfolders, including those for themes and plugins. If you encounter issues, you might consider commenting out or removing the protective rules from the .htaccess file to see if that resolves the problem. Alternatively, you could explore using a different plugin that fully leverages our security features.

    Best Regards,

    Simeon Boev

    Thread Starter antoniop80

    (@antoniop80)

    Hello @k3llanved,

    Thank you for the quick reply.

    I understand that the rules are enforced globally at .htaccess but, would be possible in the .htaccess grant an exclusion to the specific script/plugin folder that is somewhat incompatible with the SG Security Optimizer plugin?

    I’m very happy with the SG Security Optimizer plugin so I never considered using any other security plugin like Wordfence or Sucuri.

    Kind regards,
    António P

    Plugin Support Delyan Delov

    (@delyandelov)

    Hello @antoniop80,

    I am afraid that our plugin does not have such functionality, however, you can do that by creating an .htaccess file under the plugin folder:
    wp-content/plugins/translatepress-multilingual/includes/
    and “exclude” the files that should be accessible.

    For example, if you want all PHP files under the above directory to be accessible, you can add the following directives to the newly created .htaccess file:

    <FilesMatch “\.(?i:php)$“>
  <IfModule !mod_authz_core.c>
    Order deny,allow
    Allow from all
  </IfModule>
  <IfModule mod_authz_core.c>
    Require all granted
  </IfModule>
</FilesMatch>
    Thread Starter antoniop80

    (@antoniop80)

    Hello @delyandelov,

    Thank you for the reply.
    2 questions:

    – When the plugin is updated, will the custom .htaccess file be deleted?
    – The SG Security Optimizer when “reads” the content of wp-content/plugins/translatepress-multilingual/includes/ and verifies that there is an .htaccess file, will ignore this folder and exclude it?

    Thanks,
    AP

    Thread Starter antoniop80

    (@antoniop80)

    Hello @delyandelov,

    Even after adding the .htaccess with those directives, the issue persists as can be seen in the attached console image below:

    The url to see this error in the console is: https://gerolatsitis.com/en/projects/

    The .htaccess file was created in the root folder includes of the plugin folder, as it is with the following directives:

    <FilesMatch “\.(?i:php)$“>
  <IfModule !mod_authz_core.c>
    Order deny,allow
    Allow from all
  </IfModule>
  <IfModule mod_authz_core.c>
    Require all granted
  </IfModule>
</FilesMatch>

    Thanks,
    AP

    Plugin Support Dimo Dimov

    (@dimodi)

    Hello @antoniop80,

    If the Lock and Protect System Folders option blocks a specific script used by another plugin on the website, you can actually whitelist the specific script by using the filters we created for that purpose. Please follow the guidelines in this article:

    https://eu.siteground.com/tutorials/wordpress/security-optimizer/custom-filters/#Whitelist_a_specific_script_from_Lock_and_Protect_System_Folders

    Regards,
    Dimo

    Thread Starter antoniop80

    (@antoniop80)

    Hello @dimodi,

    Thanks.

    I added the function below in the functions.php.

    add_filter( 'sgs_whitelist_wp_content' , 'whitelist_file_in_wp_content' );
function whitelist_file_in_wp_content( $whitelist ) {
	$whitelist[] = '/plugins/translatepress-multilingual/includes/trp-ajax.php';
	return $whitelist;
}

    I’ve tried both options, file name and relative path but no change. Error 403 persists.

    Regards,
    AP

    Plugin Support Dimo Dimov

    (@dimodi)

    There is no need to provide full path to the file, simply adding the file name will be enough. The rules excluding it are placed in .htaccess file, so the exclude will be applied for the whole wp-content directory recursively. Here is how to whitelist it:

    1. Make sure Lock and Protect System Folders feature is disabled
    2. Add the following filter in the functions.php file of the active theme:

    add_filter( 'sgs_whitelist_wp_content' , 'whitelist_file_in_wp_content' );
    function whitelist_file_in_wp_content( $whitelist ) {
    $whitelist[] = 'trp-ajax.php';
    return $whitelist;
    }

    1. Activate Lock and Protect System Folders feature

    Reactivating the feature in Security Optimizer settings will ensure that the list of the excluded scripts will be updated.

    If the issue persists, please open a support request from your SiteGround Client Area so we can replicate the error and conduct a more detailed investigation.

    Regards,
    Dimo

    Thread Starter antoniop80

    (@antoniop80)

    @dimodi,

    Thank you so much. That did the trick!

    Regards,
    AP

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Lock and Protect System Folders Issue: blocking a needed script’ is closed to new replies.

Tags