Curious how to deal with the WP Defender Hardener. When it

Curious how to deal with the WP Defender Hardener. When it places .htaccess files into the wp-content and wp-includes folders, it breaks access to several plugins riding in the folder underneath the wp-content parent. It also breaks access to wp-db.php under the wp-includes parent folder.

Whereas if you don't perform this little tidbit of hardening it shows as an alert on the dashboard.

I get the idea, but I think there needs to be some granular control instead of a global "no php for you!". So I guess my question is....is there such control?

  • onlinebd

    Additionally, come to find out, WP Defender (with Prevent PHP Execution turned off) is throwing these errors in the Apache Error Log after the server itself is trying to access those resources.

    client denied by server configuration .... /wp-content/plugins/wp-defender/vault/.htaccess
    and
    cannot serve directory .... /wp-content/plugins/wp-defender/app/module/hardener-module/component/

  • Nastia

    Hello onlinebd, I hope you are doing well today!

    Would you please tell us to what plugins the WP Defender Hardener breaks access to, so I could test it on my installation?

    I do see the same on my server too, but not when the "Prevent PHP execution" is disabled:
    Client denied by server configuration

    I had a chat with the developer and it's actually a confirmation that the plugins is working and denied access to the .htaccess file which is the whole point of the Defender plugin.

    At the current moment, there is no other option, out of the box, to control the hardener settings. Of course you can edit the .htaccess files manually.

    Please advise,

    Kind Regards,
    Nastia

  • onlinebd

    Hi Nastia - Thanks for your reply -

    Specifically the plugin that was being blocked was s2member pro. <-- which isn't good.
    Then it also blocked access to the wp-db.php file <-- which can't be good either.

    I agree that the "Client denied by server configuration" confirms that the plugin is working. But we can't seriously expect to have billions of lines added to our error log every day like this on a live site.

    Which also leads me to -

    Because the traffic TO those areas is both expected and harmless...including by the WP Defender plugin itself needing access to those blocked areas, "Client denied by server configuration" is a very bad thing.

    e.g. This is WP Defender trying to access the vault directory.
    client denied by server configuration .... /wp-content/plugins/wp-defender/vault/.htaccess

    blocked

    also This is WP Defender trying to access the component directory.
    cannot serve directory .... /wp-content/plugins/wp-defender/app/module/hardener-module/component/

    also blocked.

    I can't see that as intentional. So I would suspect the only work around is to take your advice and edit the .htaccess files manually, or more logically uninstalling and waiting a while for some similar feedback to gain some traction.

  • Hoang Ngo

    @onlinebd,

    I hope you are well today.

    Specifically the plugin that was being blocked was s2member pro. <-- which isn't good.
    Then it also blocked access to the wp-db.php file <-- which can't be good either.

    We only block for directly access, which mean accessing the file via your browser, which is never good. System functions should be work as usual. Can you please let me know what's the issue with s2member pro?

    The plugin need to access to those file, not for function, just for testing. As you know, WordPress come with various plugins, themes, etc. Any of your plugin and theme can place some code in htaccess, which might duplicate with Defender, and the htaccess can place everywhere. So instead of just check if the code exist in a file (which is not accuracy), we using request method to determine if files get protected or not. And that's why you see the error above in your log file (if it protected, an error should raise )

    If you have any additional issues, please let us know and we'll be happy to help.

    Best regards,
    Hoang