Defender give me SECURITY TWEAKS Message

The Defender give me the SECURITY TWEAKS, when I click it to fix the problem it doesn't fix and give me the message again.

  • Adam Czajczyk

    Hello Mohamed

    I hope you're well today and thank you for your question!

    Issues like that are usually caused by the plugin not being able to write into the .htaccess file, most often because of file permissions.

    I have checked your site and it looks like the .htaccess file is set to be readable/writable but I can't see permission details from WP dashboard so it's possible that the plugin still cannot write to it. In fact, I checked the file content and it seems that after applying the tweak in Defender, the file content is not checked - so it would confirm that file cannot be written into.

    However, I have also noticed that there is already some code inside marked as Defeneder's "Prevent Information Disclosure" rules but they seem to be different than added by Defender by default. It looks like they were either edited by somebody or altered by some other plugin (or server-side tool).

    That being said, could you please try to edit the .htaccess file manually? Find this code there:

    ## WP Defender - Prevent information disclosure ##
    <FilesMatch "\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$">
    Require all denied
    </FilesMatch>
    <Files robots.txt>
    Require all granted
    </Files>
    <Files ads.txt>
    Require all granted
    </Files>
    ## WP Defender - End ##

    and replace it with this one:

    ## WP Defender - Prevent information disclosure ##
    <FilesMatch "\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$">
    Order allow,deny
    Deny from all
    </FilesMatch>
    <Files robots.txt>
    Allow from all
    </Files>
    <Files ads.txt>
    Allow from all
    </Files>
    ## WP Defender - End ##

    Once that's done, clear all caches and then just go to Defender's "Security Tweaks" section and see if it detects the "Prevent information disclosure" as already fixed or if it's still reporting it.

    Let me know about result, please.

    Kind regards,
    Adam

  • Adam Czajczyk

    Hello Mohamed

    Thank you for your response and additional explanation.

    Just to make sure, have you actually tried to manually make an adjustment that I suggested in my previous post? I understand that there's an issue with adding "Prevent Information Disclosure" tweak automatically but I'd like to know at least whether it detects it as fixed or not when this code is there.

    Let me know please. It would also be great if you could enable support access to the site (it seems to be disabled currently) so I could take a closer look at the case. You can do it on "WPMU DEV -> Support" page in your site's back-end by clicking on "Grant support access" button there.

    Best regards,
    Adam

  • Adam Czajczyk

    Hello Mohamed

    Thank you for granting access and sharing FTP.

    Even though the code is now proper in .htaccess, the tweak is still not detected. However, it seems that the issue here is different. It turns out that the webserver "visible from outside" is actually nginx and not apache.

    There is .htaccess file and the Apache is detected by WPMU DEV Dashboard plugin but fetching HTTP headers via curl shows response from nginx. That suggest that the real configuration of the server that you're hosting on is with Nginx webserver "in front" of Apache. This is a setup that's often used to provide sort of "load balancing"/"proxy"/"caching".

    In such cases some of the server-related tweaks (regardless whether they are Defender's "security tweaks" or any other kind of tweaks) might actually need to be added to Nginx configuration and not Apache.

    If you go to the "Defender -> Security Tweaks" page and expand the "Prevent Information Disclosure" tab, select NGIX from the list and that will give you a guide on how to apply that tweak to the server.

    This may, however, require getting in touch with the host. I can see that there's some nginx config file inside the /conf folder on your server but I'm afraid I'm not that familiar with Cloudways server setup/configuration to confirm for sure whether this is the right file to use. It would be best if you could get in touch with their tech support and present them with the guide you get from the Defender (as described above) asking them if this is something that you can add there (and if so, where exactly) or if they could do this for you.

    Kind regards,
    Adam

    • Mohamed

      The Answer From Cloudways :

      Thank you so much for contacting us. We would like to inform you that Nginx is simply assign the request to the backend in our request and the backend is Apache so you can setup any redirect rules in .htaccess they should work fine. So, if the plugin has added the block to .htacces file, then it is not needed to update the Nginx configurations which is also not possible in our stack.

  • Kasia Swiderska

    Hello Mohamed,

    Have you asked your hosting about this specific tweak? Because in their answer they are talking about redirect rules which is very different that Prevent Information disclosure

    Can you show them this part of code you want to add:

    ## WP Defender - Prevent information disclosure ### Turn off directory indexing
    autoindex off;
    
    # Deny access to htaccess and other hidden files
    location ~ /\. {
      deny  all;
    }
    
    # Deny access to wp-config.php file
    location = /wp-config.php {
      deny all;
    }
    
    # Deny access to revealing or potentially dangerous files in the /wp-content/ directory (including sub-folders)
    location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$ {
      deny all;
    }
    ## WP Defender - End ##

    I want to be sure that we are all on the same page.

    kind regards,
    Kasia

  • Adam Czajczyk

    Hello @domains6824!

    Kasia's question is valid because the guys from Cloudways referred in their answer specifically to redirect blocks and that's a different thing.

    However, I'm thinking that it's also possible that due to that kind of setup that's just a "false alarm" from Defender. That should be easy to check, though. Could you try to check it? Do it as follows:

    - access your site via FTP or cPanel ("File Manager" tool)
    - go to the "/wp-content/languages/" folder and see what files you got there (e.g. something like en_EN.mo or similar), note down the name of one random .mo or .po file

    - open browser and try to access that file like this:

    yourdomain.com/wp-content/languages/name_of_that_file

    If it returns "Forbidden" message, that means that "Prevent Information DIsclosure" tweak is actually working and that's a false alarm. If the content of the file is displayed then it confirms that it's not working.

    Could you try that, please?

    Kind regards,
    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.