• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • Support for BIND DNS has been removed from Plesk for Windows due to security and maintenance risks.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS.

Plesk Wordpress Toolkit - how to bypass security settings

wiwimaster

wiwimaster

New Pleskian
Hi everyone
we're running a server with Plesk 17.8.11 on Ubuntu 16.04.4 LTS‬, including the Plesk Wordpress toolkit. We used this to harden our Wordpress installations (executed all security recommendations). As a result, no .php file can be executed in the /wp-content folder.

This worked well until recently, when we started to use a plugin (OneSignal) that requires PHP access in the aforementioned folder. We are dependent on using the plugin, hence need to switch on the PHP execution for 1-2 php files.

Any recommendations how this can be done e.g. by using .htaccess or additional directives?

Thanks a lot for your help
Jan
 
Probably you want to login to your server via SSH go to the directory with cd foldername/foldername till you reach the folder. and then issue the command chmod +x filename.php after that it should work
 
Thanks Joey, that was the first thing I tried (unfortunately not successfully). This is what the WP Toolkit adds to the following files (domain replaced by URL.de):

last_ip_default.conf
Code: 
<IfModule mod_ssl.c>
        #extension wp-toolkit begin
        <Files wp-config.php>
            Require all denied
        </Files>

        <Directory "/var/www/vhosts/URL.de/httpdocs">
            Options -Indexes
        </Directory>
        <Directory "/var/www/vhosts/URL.de/httpdocs/wp-content">
            <FilesMatch \.php$>
                Require all denied
            </FilesMatch>
        </Directory>
        <Directory "/var/www/vhosts/URL.de/httpdocs/wp-includes">
            <FilesMatch \.php$>
                Require all denied
            </FilesMatch>
        </Directory>
        <Directory "/var/www/vhosts/URL.de/httpdocs/wp-admin">
            <FilesMatch (load-styles|load-scripts)\.php$>
                Require all denied
            </FilesMatch>
        </Directory>

        #extension wp-toolkit end
</IfModule>

nginx_ip_default.conf

Code: 
    #extension wp-toolkit begin
    location ~* wp-config.php { deny all; }

    location ~* "^/wp-content/.*\\.php" { deny all; }
    location ~* "^/wp-includes/.*\\.php" { deny all; }
    location ~* "^/wp-admin/(load-styles|load-scripts)\\.php" { deny all; }

    #extension wp-toolkit end

of course I could remove the code, but updating hosting or Apache/NGINX settings in Plesk, the code is added back again.

Can I overwrite those settings somewhere else?

thanks
Jan
 
You must log in or register to reply here.

Similar threads

T
Resolved WordPress Toolkit Reporting Incorrect Risk Levels Again
Replies
5
Views
2K
Sebahat.hadzhi
Sebahat.hadzhi
R
Backup creation via WordPress Toolkit: mysqldump: Got error: 2019: "Can't initialize character set utf8mb3 (path: compiled_in)" when trying to connect
Replies
2
Views
2K
RalfMeyer
R
C
Can I stop Plesk creating tickets to Cloudlinux
Replies
11
Views
2K
Change Maker
C
S
How to custom WordPress autoinstall
Replies
2
Views
1K
souzadavi
S
G
Resolved WP Toolkit setup new password for admin haystack (language) error
Replies
1
Views
3K
gmu-jerdj
G
Back
Top