Defender breaks website by adding code for Apache 2.2 instead of Apache 2.4

Hello,

When I try to do extra security tweaks the website breaks with an internal server error 500 because WP Defender Pro adds code for Apache 2.2 instead of 2.4.

Seems like Prevent Information Disclosure or Prevent PHP execution broke it.

Hosting provider used the following example:
https://httpd.apache.org/docs/2.4/upgrading.html#access

Any way Defender could detect this and add the right code or an option to add the code for 2.4?

  • Huberson

    Hello there,
    The htaccess rules added by Defender for Prevent PHP execution is actually the new version for Apache 2.4. Should be as follow in .htaccess under wp-content directory:

    ## WP Defender - Protect PHP Executed ##
    <Files *.php>
    Require all denied
    </Files>
    ## WP Defender - End ##

    Should be the same for Prevent Information Disclosure.

    If the Apache version on the host is 2.2 the old rules will be added. But might be possible, since some hosting could sort of hide the software version for security measure, that Defender failed to detect the version and fallback to the old rules for Apache 2.2.

    To better troubleshoot that I'd suggest setting up a staging clone of the site, and provide us access to it by sending us the credentials via our contact form:

    Subject: "Attn: Huberson Dorvilus"
    -WordPress admin username
    -WordPress admin password
    -login url
    -FTP/Cpanel credentials (host/username/password)

    -link back to this thread for reference

    -any other relevant urls

    Let us know once you send those over so we can proceed with some troubleshooting.

    Cheers,
    Huberson

  • Huberson

    Hi there,
    Thanks for the info. I've applied the Apache 2.4 version of the access control rules in both the main htaccess at the root directory, and the other one at wp-content. That applies the fixes without putting the site down.

    I've also escalate that so we can check what might be causing the wrong version of the rules to be added and address that.

    We should keep you posted of any update or if any additional info required.

  • Panos

    Hey there VWA ,

    Defender uses the server headers for Apache version. Using curl this information is missing from your server's headers, only information is:
    Server: Apache
    so Defender falls back to version 2.2

    Probably this has been set from your host by setting:
    ServerSignature Off

    Since you have set manual rules, Defender won't change them by upgrading or re-activating etc so you should be good now :slight_smile:

    Kind regards!

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.