• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Plesk Wordpress Toolkit - how to bypass security settings

wiwimaster

wiwimaster

New Pleskian
Hi everyone
we're running a server with Plesk 17.8.11 on Ubuntu 16.04.4 LTS‬, including the Plesk Wordpress toolkit. We used this to harden our Wordpress installations (executed all security recommendations). As a result, no .php file can be executed in the /wp-content folder.

This worked well until recently, when we started to use a plugin (OneSignal) that requires PHP access in the aforementioned folder. We are dependent on using the plugin, hence need to switch on the PHP execution for 1-2 php files.

Any recommendations how this can be done e.g. by using .htaccess or additional directives?

Thanks a lot for your help
Jan
 
Probably you want to login to your server via SSH go to the directory with cd foldername/foldername till you reach the folder. and then issue the command chmod +x filename.php after that it should work
 
Thanks Joey, that was the first thing I tried (unfortunately not successfully). This is what the WP Toolkit adds to the following files (domain replaced by URL.de):

last_ip_default.conf
Code: 
<IfModule mod_ssl.c>
        #extension wp-toolkit begin
        <Files wp-config.php>
            Require all denied
        </Files>

        <Directory "/var/www/vhosts/URL.de/httpdocs">
            Options -Indexes
        </Directory>
        <Directory "/var/www/vhosts/URL.de/httpdocs/wp-content">
            <FilesMatch \.php$>
                Require all denied
            </FilesMatch>
        </Directory>
        <Directory "/var/www/vhosts/URL.de/httpdocs/wp-includes">
            <FilesMatch \.php$>
                Require all denied
            </FilesMatch>
        </Directory>
        <Directory "/var/www/vhosts/URL.de/httpdocs/wp-admin">
            <FilesMatch (load-styles|load-scripts)\.php$>
                Require all denied
            </FilesMatch>
        </Directory>

        #extension wp-toolkit end
</IfModule>

nginx_ip_default.conf

Code: 
    #extension wp-toolkit begin
    location ~* wp-config.php { deny all; }

    location ~* "^/wp-content/.*\\.php" { deny all; }
    location ~* "^/wp-includes/.*\\.php" { deny all; }
    location ~* "^/wp-admin/(load-styles|load-scripts)\\.php" { deny all; }

    #extension wp-toolkit end

of course I could remove the code, but updating hosting or Apache/NGINX settings in Plesk, the code is added back again.

Can I overwrite those settings somewhere else?

thanks
Jan
 
You must log in or register to reply here.

Similar threads

T
Resolved WordPress Toolkit Reporting Incorrect Risk Levels Again
Replies
5
Views
3K
Sebahat.hadzhi
Sebahat.hadzhi
R
Backup creation via WordPress Toolkit: mysqldump: Got error: 2019: "Can't initialize character set utf8mb3 (path: compiled_in)" when trying to connect
Replies
2
Views
2K
RalfMeyer
R
C
Can I stop Plesk creating tickets to Cloudlinux
Replies
11
Views
3K
Change Maker
C
S
How to custom WordPress autoinstall
Replies
2
Views
1K
souzadavi
S
G
Resolved WP Toolkit setup new password for admin haystack (language) error
Replies
1
Views
3K
gmu-jerdj
G
Back
Top