Defender htaccess rules

The following has been added to the root .htaccess by Defender. It's not failing but it seems a bit over the top...

## WP Defender - Prevent information disclosure ##
<FilesMatch "\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$">
Order allow,deny
Deny from all
</FilesMatch>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
## WP Defender - End ##
## WP Defender - Prevent information disclosure ##
<FilesMatch "\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$">
Order allow,deny
Deny from all
</FilesMatch>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
<Files robots.txt>
Allow from all
</Files>
## WP Defender - End ##
  • Rupok

    Hi RavanH,

    Thanks for reporting. This is really weird and should not happen. I just checked my test site having Defender activated with all hardening steps, but I'm not getting this in my root .htaccess file. So I think, this is your site specific issue.

    Just to make sure no other plugin is causing this, can you please do a plugin conflict test? I'm asking this because sometimes, some security plugins modify .htaccess files and when removed, they put back previous/other code in the .htaccess file. To get idea about plugin conflict test, you can check this guide: http://premium.wpmudev.org/manuals/using-wpmu-dev/getting-support/

    Please let us know how this go.

    Moreover, can you please take a backup of your current .htaccess file? Then replace all the lines you provided above with the following?

    ## WP Defender - Prevent information disclosure ##
    <FilesMatch "\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$">
    Order allow,deny
    Deny from all
    </FilesMatch>
    <Files robots.txt>
    Allow from all
    </Files>
    ## WP Defender - End ##

    Monitor your .htaccess file for couple of days. If it becomes like this again, please let us know. We will be glad to investigate further.

    I'm looking forward to hearing from you and resolving this issue as soon as possible.

    Have a nice day. Cheers!
    Rupok

  • RavanH

    Hi Rupok, thanks for responding

    I already had reduced the .htaccess rules back to what you suggested but I'll keep an eye on it for a while. There is a scheduled scan for this weekend, maybe it occurs then?

    About the conflict test, it's on a live network so I'm not going to do extensive testing there but I've a test network elsewhere. I'll try to reproduce the issue there.

    If anything comes up, I'll post back here. If not, then all is well (no news is good news)

  • Mark

    I am having this exact same issue. I'm running two different networks on Siteground cloud hosting and they are both doing this. Unfortunately, it's related to a complete 500 server error on one of my networks. Every time I add a new subdomain, it launches it, but when I go to access the admin section of the subsite, it crashes the whole network. The crash happens when Defender is adding another line of this robots code to the htaccess file, but on different occasions, it adds a different amount of the text before the crash.

    After reading this article, I'm going in and taking out the extra lines as mentioned above and will try to add another subsite to compare the htaccess before and after.

    EDIT: I just noticed mine has added over seven thousand lines of this code to my htaccess file. I'm guessing that the file is simply getting too long, and that's what's causing the write to fail. When the write fails, it crashes the site because it doesn't close out the htaccess file properly.

  • Mark

    Okay, I just deleted the subsite I had created and re-created it. This time, it added about 500 lines of that code to the htaccess. I was able to finish installing the site and it did close out the htaccess write, but I went from 165 lines of code in the htaccess to 685.

    I should mention something since this seems to be related to the "Preventing Information Disclosure" part of the Defender Hardening... Since I'm on SiteGround, I had to do a little work-around to get that part of the hardening to work. I did the same thing on both of my networks. From what I understand, Siteground uses a hybrid Nginx/Apache configuration for it's cloud servers. Defender was showing me the Nginx instructions for Preventing Information Disclosure. After working with SiteGround support (who were never able to get that warning to clear correctly), I found the Apache instructions (this code in the htaccess file) and applied that. After applying that code, the information disclosure warning cleared.

    I went ahead and completely removed that code from my htaccess and installed a new subsite. That subsite installed properly and I was able to access the admin section. I went back to check my htaccess file and everything is just as I left it. So for now, I'm leaving out the Information Disclosure code completely and will open a new support ticket to help me properly address Information Disclosure in a way that doesn't cause this htaccess writing.