Defender block automatic SSL updates in Cpanel

cPanel's auto-ssl feature places a random file name with a .txt extension in the webroot of the domains it is validating. The prevent information disclosure tweak in Defender stops txt files from being viewed in the webroot.

The system queried for a temporary file at “http://om***studio.si/.well-known/pki-validation/F35D1285D0E0D94BEC70E35995C8F881.txt”, but the web server responded with the following error: 403 (Forbidden). A DNS (Domain Name System) or web server misconfiguration may exist.

And from SSL/TLS status

The system queried for a temporary file at “http://om***studio.si/.well-known/pki-validation/F35D1285D0E0D94BEC70E35995C8F881.txt”, but the web server responded with the following error: 403 (Forbidden). A DNS (Domain Name System) or web server misconfiguration may exist.

Removing this tweak should allow the verification to complete. But can you imagine that I will have to monitor every client website date of SSL updates to perform this? This is really not good a practice to deal with in the future. I think a patch should consider for the future version or any feedback or suggestions on this.

  • Ash
    • WordPress Hacker

    Hello David

    Would you please check your htaccess and replace the following:

    ## WP Defender - Prevent information disclosure ##
    <FilesMatch "\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$">
    Order allow,deny
    Deny from all
    </FilesMatch>
    <Files robots.txt>
    Allow from all
    </Files>
    <Files ads.txt>
    Allow from all
    </Files>
    ## WP Defender - End ##

    with this:

    ## WP Defender - Prevent information disclosure ##
    <FilesMatch "\.(md|exe|sh|bak|inc|pot|po|mo|log|sql)$">
    Order allow,deny
    Deny from all
    </FilesMatch>
    <Files robots.txt>
    Allow from all
    </Files>
    <Files ads.txt>
    Allow from all
    </Files>
    ## WP Defender - End ##

    Let us know if it works for you. Have a nice day!

    Cheers,
    Ash

  • David
    • Site Builder, Child of Zeus

    Hi, I am wondering if there are some improvements in development Defender settings so that allow automatic SSL updates. I am asking this as this is really annoying that I need to follow when my customer's websites SSL get updated they get a nasty email about SSL not being updated successfully.
    Kind regards

    David

  • Nithin
    • Support Wizard

    Hi David,

    Hope you are doing good today. :slight_smile:

    The fix provided by Ash will make sure to exclude txt file, which was being blocked by Defender. In general, txt files when allowed, or added as a security exception shouldn't be causing an issue, because txt files aren't executable. The above fix should work fine in your system.

    I'm also bringing this into the developers attention, and checking with the developer to see whether there is any improvements that could be done within the plugin side specifically for this, so such manual changes doesn't have to be done.

    Will keep you posted once we have any further updates regarding this. Have a nice day ahead. :slight_smile:

    Best Regards,
    Nithin

  • Nithin
    • Support Wizard

    Hi David,

    I just got an update regarding this from the developer, and the latest version of the plugin v 2.0.1, already has an inbuilt tweak to ignore such files out of the box. The SSL should get updated automatically.

    Would recommend you to update the plugin to the latest version, and see whether you are able to replicate such issue, in any instances, so that we could give a closer look, if needed.

    Regards,
    Nithin

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.