Prevent code execution in the public ‘Uploads’ folder

  • Resolved elgopa

    (@elgopa)


    2 years, 4 months ago

    I activated “Prevent code execution in the public ‘Uploads’ folder”
    but it keeps saying i have to fix it on the dashboard

Viewing 15 replies - 1 through 15 (of 17 total)
  • Plugin Contributor Rogier Lankhorst

    (@rogierlankhorst)

    @elgopa can you check if the .htaccess file in the uploads directory has been added, and the htaccess lines included in that file?

    You can find the .htaccess file in wp-content/uploads

    Thread Starter elgopa

    (@elgopa)

    No it is not there.
    One website does have a .htacces there, but it has only a Wordfence code execution protection file.
    Another website does not have a .htacces at all in the uploads folder
    Both websites do have a different hoster

    i do see a code-execution.php file

    <?php
/**
 * Test file for Really Simple SSL to check if uploads directory has code execution permissions
 *
 */

echo "RSSSL CODE EXECUTION MARKER";
    • This reply was modified 2 years, 4 months ago by elgopa.
    • This reply was modified 2 years, 4 months ago by elgopa.
    • This reply was modified 2 years, 4 months ago by elgopa.
    • This reply was modified 2 years, 4 months ago by elgopa.
    Plugin Contributor Rogier Lankhorst

    (@rogierlankhorst)

    @elgopa yes, that file is a test file. Can you disable and enable the option again to check if it can write on the second try? As the test file is there, it seems there are writing permissions.

    Thread Starter elgopa

    (@elgopa)

    i already tried several times, maar helaas…

    (pitty also you have only the option “Enable recommended hardening features in Really Simple SSL – Enable” once when logging in after the update, and by the way after you do this you can not disable these options anymore)

    Plugin Contributor Rogier Lankhorst

    (@rogierlankhorst)

    I just double checked, I can disable the options without issues. In some cases, if the plugin detects an option is already handled, it will show as “on”, but disabled. Possibly that is the case here.

    Thread Starter elgopa

    (@elgopa)

    To make things even more complicated for you guys;

    One third site does not have a .htacces file in /uploads folder, but does not give the warning “Prevent code execution in the public ‘Uploads’ folder”

    Plugin Contributor Rogier Lankhorst

    (@rogierlankhorst)

    It is possible the code execution option is already blocked by either the hosting company or another plugin. In that case the notice won’t show up.

    You do not have the option “do not edit htaccess” enabled? (just checking).

    If you’re interested I can make a version with some logs. If you then post back the resulting log file, we can see where the plugin skips the .htaccess generation.

    Thread Starter elgopa

    (@elgopa)

    I don’t get what you mean with

    option is already handled, it will show as “on”, but disabled

    buttons have a lighter green colour than normal,after enabling the recommended options once, and cannot be disabled

    Thread Starter elgopa

    (@elgopa)

    You do not have the option “do not edit htaccess” enabled? (just checking).

    That’s the culprit!
    I always had that enabled, because i did edit the .htaccess myself!

    thank you!

    Plugin Contributor Rogier Lankhorst

    (@rogierlankhorst)

    @elgopa

    For example, if debugging is disabled on your site, and there’s not debug.log file in the wp-content folder, the option “change debug log location” will show as “enabled” (because there is no issue currently). As the option is not enabled in Really Simple SSL, the option is disabled, which shows as the lighter color.

    So if you see an enabled option with a lighter color, this means it is disabled in Really Simple SSL, but this specific security feature is already handled in some other way, like by setting the WP_DEBUG constant to false.

    Thread Starter elgopa

    (@elgopa)

    I do understand now, thank you very much for explaining!

    Thread Starter elgopa

    (@elgopa)

    @rogier ,Sorry for coming back again….
    I see “redirection method” —> “no redirect” ,
    does this prevent editing the htaccess file überhaupt maybe?
    This is not the same as “stop editing the htaccess file” in the previous versions.
    I do not see the option “do not edit htaccess” in the new version.

    • This reply was modified 2 years, 4 months ago by elgopa.
    • This reply was modified 2 years, 4 months ago by elgopa.
    • This reply was modified 2 years, 4 months ago by elgopa.
    • This reply was modified 2 years, 4 months ago by elgopa.
    Plugin Contributor Rogier Lankhorst

    (@rogierlankhorst)

    @elgopa Ah, yes. This feature has been deprecated, so while it still works, it’s not an option anymore in the settings.

    You can disable it with this line of code:

    rsssl_update_option('do_not_edit_htaccess', false);

    You can put it in your theme’s functions.php for example.

    Thread Starter elgopa

    (@elgopa)

    ah,
    sooo, if don’t disable it
    it keeps the setting “do not edit htaccess” from the settings from the previous version of this plugin?
    correct?
    And everyone who had this setting in previous versions can not use “Prevent code execution in the public ‘Uploads’” folder?

    (Why not keep it really simple? (schoenmaker hou je bij je leest) Wordfence has this option also and many more)

    • This reply was modified 2 years, 4 months ago by elgopa.
    • This reply was modified 2 years, 4 months ago by elgopa.
    Plugin Contributor Rogier Lankhorst

    (@rogierlankhorst)

    Yes. We did want to meddle in existing functions. Please note that you can choose not to use this function of course. It’s a bonus feature.

    We’ll think about re-adding the “stop editing htaccess option”, might be best to bring it back for users who have it enabled.

Viewing 15 replies - 1 through 15 (of 17 total)
  • The topic ‘Prevent code execution in the public ‘Uploads’ folder’ is closed to new replies.