Sensitive site files accessible after site transfer

  • Resolved xprt007

    (@xprt007)


    5 years, 4 months ago

    Hi there

    I successfully transferred a site using Duplicator to another domain, but after making a trial scan with Wordfence, it showed .user.ini was openly accessible. Actually after transfer, there was some small issue with Wordfence, which had made me disable it BEFORE the transfer and activating it after.

    After activation, it took me to a page were it was supposed to update the settings, but mysteriously, the page was funny with images not loading and links being unclickable or leading nowhere. I uninstalled and re-installed it, then updated settings, before carrying out the above mentioned scan.

    In the scan, this was the only notice:

    Publicly accessible config, backup, or log file found: .user.ini.

    I fixed this BUT discovered at random site.com/php.ini file in the root folder is accessible via the browser, which should not be and on still existing original site, loading it leads to a clear 403 forbidden error. Also /wp-config.php original site: a clear 403 forbidden error, whereas new domain: blank page.

    I suspect something fundamental is wrong across the site. What can I do to correct permissions across WordPress? Not quite sure what went wrong as I have not had this before.

    I have temporarily set site in maintenance mode.

    Meanwhile: to the Forum Administrator

    How long after about 2 weeks will my posts require manual moderation? My original sin was including a couple of links in 1 or 2 posts after years with no issue at WordPress! This costs a lot of valuable time waiting.

    Thank you in advance.

    • This topic was modified 5 years, 4 months ago by xprt007.
    • This topic was modified 5 years, 4 months ago by xprt007.
    • This topic was modified 5 years, 4 months ago by James Huff.
Viewing 1 replies (of 1 total)
  • Plugin Support wfphil

    (@wfphil)

    Hi @xprt007

    Wordence being broken may have been due to a faulty migration or perhaps a caching issue. It would be hard to say now that you have fixed it.

    The php.ini file should never be publicly accessible so you will need to ask your new hosting provider to fix that for you.

    The wp-config.php file should load a blank page, not a page with a 403 Forbidden response status code. If you had a custom server level block in place for that file then it would appear that that blocking rule was not migrated across from the old hosting provider.

Viewing 1 replies (of 1 total)
  • The topic ‘Sensitive site files accessible after site transfer’ is closed to new replies.