• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

Plesk Wordpress Toolkit - how to bypass security settings

wiwimaster

wiwimaster

New Pleskian
Hi everyone
we're running a server with Plesk 17.8.11 on Ubuntu 16.04.4 LTS‬, including the Plesk Wordpress toolkit. We used this to harden our Wordpress installations (executed all security recommendations). As a result, no .php file can be executed in the /wp-content folder.

This worked well until recently, when we started to use a plugin (OneSignal) that requires PHP access in the aforementioned folder. We are dependent on using the plugin, hence need to switch on the PHP execution for 1-2 php files.

Any recommendations how this can be done e.g. by using .htaccess or additional directives?

Thanks a lot for your help
Jan
 
Probably you want to login to your server via SSH go to the directory with cd foldername/foldername till you reach the folder. and then issue the command chmod +x filename.php after that it should work
 
Thanks Joey, that was the first thing I tried (unfortunately not successfully). This is what the WP Toolkit adds to the following files (domain replaced by URL.de):

last_ip_default.conf
Code: 
<IfModule mod_ssl.c>
        #extension wp-toolkit begin
        <Files wp-config.php>
            Require all denied
        </Files>

        <Directory "/var/www/vhosts/URL.de/httpdocs">
            Options -Indexes
        </Directory>
        <Directory "/var/www/vhosts/URL.de/httpdocs/wp-content">
            <FilesMatch \.php$>
                Require all denied
            </FilesMatch>
        </Directory>
        <Directory "/var/www/vhosts/URL.de/httpdocs/wp-includes">
            <FilesMatch \.php$>
                Require all denied
            </FilesMatch>
        </Directory>
        <Directory "/var/www/vhosts/URL.de/httpdocs/wp-admin">
            <FilesMatch (load-styles|load-scripts)\.php$>
                Require all denied
            </FilesMatch>
        </Directory>

        #extension wp-toolkit end
</IfModule>

nginx_ip_default.conf

Code: 
    #extension wp-toolkit begin
    location ~* wp-config.php { deny all; }

    location ~* "^/wp-content/.*\\.php" { deny all; }
    location ~* "^/wp-includes/.*\\.php" { deny all; }
    location ~* "^/wp-admin/(load-styles|load-scripts)\\.php" { deny all; }

    #extension wp-toolkit end

of course I could remove the code, but updating hosting or Apache/NGINX settings in Plesk, the code is added back again.

Can I overwrite those settings somewhere else?

thanks
Jan
 
You must log in or register to reply here.

Similar threads

T
Resolved WordPress Toolkit Reporting Incorrect Risk Levels Again
Replies
5
Views
2K
Sebahat.hadzhi
Sebahat.hadzhi
R
Backup creation via WordPress Toolkit: mysqldump: Got error: 2019: "Can't initialize character set utf8mb3 (path: compiled_in)" when trying to connect
Replies
2
Views
2K
RalfMeyer
R
C
Can I stop Plesk creating tickets to Cloudlinux
Replies
11
Views
2K
Change Maker
C
S
How to custom WordPress autoinstall
Replies
2
Views
1K
souzadavi
S
G
Resolved WP Toolkit setup new password for admin haystack (language) error
Replies
1
Views
3K
gmu-jerdj
G
Back
Top