• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Plesk Wordpress Toolkit - how to bypass security settings

wiwimaster

New Pleskian
Hi everyone
we're running a server with Plesk 17.8.11 on Ubuntu 16.04.4 LTS‬, including the Plesk Wordpress toolkit. We used this to harden our Wordpress installations (executed all security recommendations). As a result, no .php file can be executed in the /wp-content folder.

This worked well until recently, when we started to use a plugin (OneSignal) that requires PHP access in the aforementioned folder. We are dependent on using the plugin, hence need to switch on the PHP execution for 1-2 php files.

Any recommendations how this can be done e.g. by using .htaccess or additional directives?

Thanks a lot for your help
Jan
 
Probably you want to login to your server via SSH go to the directory with cd foldername/foldername till you reach the folder. and then issue the command chmod +x filename.php after that it should work
 
Thanks Joey, that was the first thing I tried (unfortunately not successfully). This is what the WP Toolkit adds to the following files (domain replaced by URL.de):

last_ip_default.conf
Code:
<IfModule mod_ssl.c>
        #extension wp-toolkit begin
        <Files wp-config.php>
            Require all denied
        </Files>

        <Directory "/var/www/vhosts/URL.de/httpdocs">
            Options -Indexes
        </Directory>
        <Directory "/var/www/vhosts/URL.de/httpdocs/wp-content">
            <FilesMatch \.php$>
                Require all denied
            </FilesMatch>
        </Directory>
        <Directory "/var/www/vhosts/URL.de/httpdocs/wp-includes">
            <FilesMatch \.php$>
                Require all denied
            </FilesMatch>
        </Directory>
        <Directory "/var/www/vhosts/URL.de/httpdocs/wp-admin">
            <FilesMatch (load-styles|load-scripts)\.php$>
                Require all denied
            </FilesMatch>
        </Directory>

        #extension wp-toolkit end
</IfModule>

nginx_ip_default.conf

Code:
    #extension wp-toolkit begin
    location ~* wp-config.php { deny all; }

    location ~* "^/wp-content/.*\\.php" { deny all; }
    location ~* "^/wp-includes/.*\\.php" { deny all; }
    location ~* "^/wp-admin/(load-styles|load-scripts)\\.php" { deny all; }

    #extension wp-toolkit end

of course I could remove the code, but updating hosting or Apache/NGINX settings in Plesk, the code is added back again.

Can I overwrite those settings somewhere else?

thanks
Jan
 
Back
Top