penguintrax on "[Plugin: Sucuri Security - Auditing, Malware Scanner and Security Hardening] Bug Report - Restrict wp-includes access"

ساخت وبلاگ

آخرین مطالب

امکانات وب

penguintrax on "[Plugin: Sucuri Security - Auditing, Malware Scanner and Security Hardening] Bug Report - Restrict wp-includes access"

Hi folks,

I've discovered a bug in my site. I'm not sure whether or not it is likely to effect other sites, but thought I should drop it to you.

Using the harding technique: 'Restrict wp-includes access', blocks wordpress access to /wp-includes/js/tinymce/wp-tinymce.php?c=1&ver=4208-20151113. Causing the page/post editor to stop working properly.

The theme i'm running was hand written a few years ago, which could be contributing to the issues. But it might be one for you to investigate.

Cheers!
Andrew

https://wordpress.org/plugins/sucuri-scanner/

Thanks for the report; the current version of the code creates three rules in the access control file [1]: one to block the direct access to any PHP file, the second one to whitelist the "wp-tinymce.php" file required to render the visual editor, and the last one to whitelist "ms-files.php" required to render the file manager.

You can see that the rules are using the Apache +2.4 syntax, it is possible that the server where your website is being hosted is not compatible with these rules and that is why the whitelist of the "wp-tinymce.php" file is not working. Please share more information about your web server so I can reproduce the issue and fix it as soon as possible.

[1] http://cixtor.com/pastio/2hz6b3

stereotonic
Member
Posted 1 day ago #

I too am having this same issue across multiple sites.

stereotonic
Member
Posted 23 hours ago #

This is how it is writing the .htaccess file on one of the sites in question:

<FilesMatch ".(?i:php)$">
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</FilesMatch>
<Files wp-tinymce.php>
Allow from all
</Files>
<Files ms-files.php>
Allow from all
</Files>

Peachey_A
Member
Posted 23 hours ago #

Hi again,

Yorman, could you be more specific about which details you need to replicate the issue.
I'm not very familiar with server setup details.

I'm pretty sure I've isolated the apache version - 2.4.6
Running on a plesk panel server full RPM - 2.4.6-31.el7.centos.1

Peachey_A
Member
Posted 23 hours ago #

Stereotonic,

Unless you've got very larger and secure sites running sucuri, temporarily reversing the wp-includes hardening worked well for me and should help you out.

penguintrax
Member
Posted 7 minutes ago #

I also reverted hardening on wp-includes and that fixed the issue for me, too.

- - , .

WordPress ...
ما را در سایت WordPress دنبال می کنید

برچسب : نویسنده : استخدام کار wpss بازدید : 136 تاريخ : سه شنبه 27 بهمن 1394 ساعت: 22:12

آرشیو مطالب

پيوندهای روزانه

لینک دوستان

خبرنامه