Settings to hide .user.ini in htaccess removed by WF! (LiteSpeed server)

  • Resolved ftpwp

    (@ftpwp)


    3 years, 6 months ago

    Hi,

    I moved my website from OVH.com to Hostinger.com.
    OVH is using Apache servers, while Hostinger is using LiteSpeed servers.

    When the website was hosted by OVH, in the root folder there was a .user.ini file.
    And in the .htaccess file, there was this code to block the access to .user.ini:

    # Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>

# END Wordfence WAF

    Problem, after I moved my website to Hostinger, Wordfence displayed this message:

    To make your site as secure as possible, take a moment to optimize the Wordfence Web Application Firewall: [CLICK HERE TO CONFIGURE]

    I clicked on the button and a pop-up displayed this:

    To make your site as secure as possible, the Wordfence Web Application Firewall is designed to run via a PHP setting called auto_prepend_file, which ensures it runs before any potentially vulnerable code runs.
    We’ve preselected your server configuration based on our tests.

    LiteSpeed/Isapi (recommended based on our tests)

    Continue to complete the setup. [CONTINUE]

    But this action replaces the code to block the access to .user.ini by this one:

    # Wordfence WAF
<IfModule LiteSpeed>
php_value auto_prepend_file '/home/path_to_my_website/public_html/wordfence-waf.php'
</IfModule>
<IfModule lsapi_module>
php_value auto_prepend_file '/home/path_to_my_website/public_html/wordfence-waf.php'
</IfModule>

# END Wordfence WAF

    Consequence, immediately after, if we run a scan, Wordfence warns that there’s a

    Critical issue: Publicly accessible config, backup, or log file found: .user.ini

    So what should we do?

    – Delete the .user.ini file as it has become useless in this context?
    Indeed, in .user.ini we find only this code:

    ; Wordfence WAF
auto_prepend_file = '/home/path_to_my_website/public_html/henrybordeaux/wordfence-waf.php'
; END Wordfence WAF

    It looks like WF has just moved this command from .user.ini to .htaccess for LiteSpeed servers.

    – Or do we need to manually set back the code to block the access to .user.ini in .htaccess?

    – Or something else?

    Thanks for your help!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfphil

    (@wfphil)

    Hi @ftpwp

    On a LiteSpeed web server the firewall has to be optimized via the .htaccess file so you can delete the .user.ini file as it only contains a directive for Wordfence and is therefore no longer needed.

    Thread Starter ftpwp

    (@ftpwp)

    Ok, thanks @wfphil for your answer!
    For me the issue is fixed.

    But… IMO you should forward the issue to the dev team and update WF.

    WF should delete the .user.ini file if it exists when it updates the settings for LiteSpeed/Isapi serveurs, as 1/ it removes the protection of the .user.ini file and then 2/ complains that the file is accessible. So removing the file, finishing the job by cleaning the root directory, should be part of the process of updating the settings for LiteSpeed/Isapi serveurs.

    Thanks!

    Plugin Support wfphil

    (@wfphil)

    Hi @ftpwp

    Thank you for the update that it is fixed and for the feedback.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Settings to hide .user.ini in htaccess removed by WF! (LiteSpeed server)’ is closed to new replies.